Beruflich Dokumente
Kultur Dokumente
VERSION3.3
FORTINET DOCUMENTLIBRARY
http://docs.fortinet.com
FORTINETVIDEOGUIDE
http://video.fortinet.com
FORTINETBLOG
https://blog.fortinet.com
CUSTOMERSERVICE&SUPPORT
https://support.fortinet.com
FORTIGATECOOKBOOK
http://cookbook.fortinet.com
FORTINETTRAININGSERVICES
http://www.fortinet.com/training
FORTIGUARDCENTER
http://www.fortiguard.com
ENDUSER LICENSE AGREEMENT
http://www.fortinet.com/doc/legal/EULA.pdf
FEEDBACK
Email: techdocs@fortinet.com
2015-04-20
FortiAuthenticator 3.3 Administration Guide
23-330-264234-20150420
TABLEOFCONTENTS
Change Log
Introduction
Before you begin
How this guide is organized
Registering your Fortinet product
Setup
Initial setup
FortiAuthenticator VM setup
Administrative access
Adding a FortiAuthenticator unit to your network
Maintenance
Backing up the configuration
Upgrading the firmware
Licensing
Troubleshooting
FortiAuthenticator settings
FortiGate settings
CLI commands
System
Dashboard
Customizing the dashboard
System Information widget
System Resources widget
Authentication Activity widget
User Inventory widget
License Information widget
Top User Lockouts widget
Network
Interfaces
DNS
Static routing
Packet capture
Administration
GUI access
7
8
9
10
10
11
11
11
12
13
14
14
14
15
15
15
16
16
19
20
21
21
25
25
25
25
26
26
26
27
27
28
29
30
High availability
Firmware
Automatic backup
SNMP
Licensing
FortiGuard
FTP servers
Messaging
SMTP servers
E-mail services
SMS gateways
Authentication
What to configure
Password-based authentication
Two-factor authentication
Authentication servers
Machine authentication
User account policies
General
Lockouts
Passwords
Custom user fields
User management
Administrators
Local users
Remote users
Remote user sync rules
User groups
Organizations
FortiTokens
MAC devices
RADIUS attributes
FortiToken devices and mobile apps
FortiAuthenticator and FortiTokens
Monitoring FortiTokens
FortiToken device maintenance
FortiToken drift adjustment
Self-service portal
General
Access control
Self-registration
Replacement message
30
33
33
34
37
38
38
39
39
41
42
45
45
46
46
47
47
48
48
49
49
51
51
51
52
59
61
62
63
64
65
65
65
66
67
67
68
68
69
69
69
71
Device self-enrollment
Remote authentication servers
LDAP
RADIUS
RADIUS service
Clients
Importing authentication clients
Realms
Extensible authentication protocol
LDAP service
General
Directory tree overview
Creating the directory tree
Configuring a FortiGate unit for FortiAuthenticator LDAP
FortiAuthenticator agent
73
73
73
76
76
76
78
78
79
79
79
80
81
83
84
85
85
86
86
86
86
87
88
89
89
92
93
94
95
96
97
98
99
100
101
101
102
103
103
105
105
106
Monitoring
SSO
Domains
SSO sessions
Domain controllers
FortiGates
Authentication
Windows AD
Windows device logins
Inactive users
Learned RADIUS users
106
106
107
109
110
111
111
111
111
112
112
112
112
112
113
113
Certificate Management
114
Policies
Certificate expiry
End entities
Certificate authorities
Local CAs
CRLs
Trusted CAs
SCEP
General
Enrollment requests
114
114
115
120
121
125
127
127
127
128
Logging
Log access
Log configuration
Log settings
Syslog servers
Troubleshooting
Troubleshooting
Debug logs
RADIUS debugging
132
132
134
134
135
137
137
138
139
Change Log
Change Log
Date
Change Description
2015-04-20
Initial release.
Administration Guide
Fortinet Technologies Inc.
Introduction
The FortiAuthenticator device is an identity and access management solution. Identity and access management
solutions are an important part of an enterprise network, providing access to protected network assets and
tracking user activities to comply with security policies.
FortiAuthenticator provides user identity services to the Fortinet product range, as well as third party devices.
FortiAuthenticator delivers multiple features including:
l
l
l
Authentication: FortiAuthenticator includes Remote Authentication Dial In User Service (RADIUS) and
Lightweight Directory Access Protocol (LDAP) server authentication methods.
Two Factor Authentication: FortiAuthenticator can act as a two-factor authentication server with support for onetime passwords using FortiToken 200, FortiToken Mobile, Short Message Service (SMS), or e-mail.
FortiAuthenticator two-factor authentication is compatible with any system which supports RADIUS.
IEEE802.1X Support: FortiAuthenticator supports 802.1X for use in FortiGate Wireless and Wired networks.
User Identification: FortiAuthenticator can identify users through multiple data sources, including Active
Directory, Desktop Client, Captive Portal Logon, RADIUS Accounting, Kerberos, and a Representational State
Transfer (REST) API. It can then communicate this information to FortiGate, FortiCache, or FortiMail units for use
in Identity Based Policies.
Certificate Management: FortiAuthenticator can create and sign digital certificates for use, for example, in
FortiGate VPNs and with the FortiToken 300 USB Certificate Store.
Integration: FortiAuthenticator can integrate with third party RADIUS and LDAP authentication systems, allowing
you to reuse existing information sources. The REST API can also be used to integrate with external provisioning
systems.
FortiAuthenticator is a critical system, and should be isolated on a network interface that is separated from other
hosts to facilitate server-related firewall protection. Be sure to take steps to prevent unauthorized access to the
FortiAuthenticator.
Administration Guide
Fortinet Technologies Inc.
Introduction
The FortiAuthenticator series of identity and access management appliances complement the FortiToken range
of two-factor authentication tokens for secure remote access. FortiAuthenticator allows you to extend the support
for FortiTokens across your enterprise by enabling authentication with multiple FortiGate appliances and third
party devices. FortiAuthenticator and FortiToken deliver cost effective, scalable secure authentication to your
entire network infrastructure.
The FortiAuthenticator device provides an easy-to-configure remote authentication option for FortiGate users.
Additionally, it can replace the Fortinet Single Sign-On (FSSO) Agent on a Windows Active Directory (AD)
network.
For more information about FortiTokens, see the FortiToken information page on the Fortinet web site.
This chapter contains the following topics:
l
Administration Guide
Fortinet Technologies Inc.
Introduction
The system time, DNS settings, administrator password, and network interfaces have been configured.
Network Time Protocol (NTP) is critical for the time to be accurate and stable for the
Time-based One-time Password (TOTP) method used in two-factor authentication to
function correctly. See Configuring the system time, time zone, and date on page 23.
Any third-party software or servers have been configured using their documentation.
While using the instructions in this guide, note that administrators are assumed to have all permissions, unless
otherwise specified. Some restrictions will apply to administrators with limited permissions.
Setup describes initial setup for standalone and HA cluster FortiAuthenticator configurations.
System describes the options available in the system menu tree, including: network configuration, administration
settings, and messaging settings.
Authentication describes how to configure built-in and remote authentication servers and manage users and user
groups.
Port-based Network Access Control describes how to configure the FortiAuthenticator unit for IEEE 802.1X
Extensible Authentication Protocol (EAP) authentication methods, Bring Your Own Device (BYOD), and MAC-based
device authentication.
Fortinet Single Sign-On describes how to use the FortiAuthenticator unit in a single sign on (SSO) environment.
RADIUS Single Sign-On describes how to use the FortiAuthenticator unit RADIUS accounting proxy.
Certificate Management describes how to manage X.509 certificates and how to set up the FortiAuthenticator unit
to act as an Certificate Authority (CA).
Administration Guide
Fortinet Technologies Inc.
10
Setup
For information about installing the FortiAuthenticator unit and accessing the CLI or web-based manager, refer to
the Quick Start Guide provided with your unit.
This chapter provides basic setup information for getting started with your FortiAuthenticator device. For more
detailed information about specific system options, see System on page 19.
The following topics are included in this section:
l
Initial setup
Maintenance
CLI commands
Troubleshooting
Initial setup
The following section provides information about setting up the Virtual Machine (VM) version of the product.
FortiAuthenticator VM setup
Before using FortiAuthenticator-VM, you need to install the VMware application to host the FortiAuthenticator-VM
device. The installation instructions for FortiAuthenticator-VM assume you are familiar with VMware products and
terminology.
System requirements
For information on the FortiAuthenticator-VM system requirements, please see the product datasheet available
at http://www.fortinet.com/products/fortiauthenticator.
FortiAuthenticator-VM has kernel support for more than 4GB of RAM in VM images.
However, this support also depends on the VM player version. For more information,
see: http://kb.vmware.com/selfservice/microsites/search.do?language=en_
US&cmd=displayKC&externalId=1014006
The default Hardware Version is 4 to support the widest base of VM players. However
you can modify the VM Hardware Version by editing the following line in the
FortiAuthenticator-VM.vmx file:
virtualHW.version = "4"
11
Administration Guide
Fortinet Technologies Inc.
Initial setup
Setup
Administrative access
Administrative access is enabled by default on port 1. Using the Web-based Manager, you can enable
administrative access on other ports if necessary.
Enter admin as the User Name and leave the Password field blank.
HTTP access is not enabled by default. To enable access, use the set ha-mgmtaccess command in the CLI (see CLI commands on page 16), or enable HTTP
access on the interface in the Web-based Manager (see Interfaces on page 26).
Telnet
CLI access is available using telnet to the port1 interface IP address (192.168.1.99 by default). Use the telnet -K
option so that telnet does not attempt to log on using your user ID. For example:
$ telnet -K 192.168.1.99
Administration Guide
Fortinet Technologies Inc.
12
Setup
At the FortiAuthenticator login prompt, enter admin. When prompted for password press Enter. By default
there is no password. When you are finished, use the exit command to end the telnet session.
CLI access using Telnet is not enabled by default. To enable access, use the set
ha-mgmt-access command in the CLI (see CLI commands on page 16), or enable
Telnet access on the interface in the Web-based Manager (see Interfaces on page 26)
SSH
SSH provides secure access to the CLI. Connect to the port1 interface IP address (192.168.1.99 by default).
Specify the user name admin or SSH will attempt to log on with your user name. For example:
$ ssh admin@192.168.1.99
At the password prompt press Enter. By default there is no password. When you are finished, use the exit
command to end the session.
You must have security policies that allow traffic between the client network and the subnet of the
FortiAuthenticator,
You must ensure that the following ports are open in the security policies between the FortiAuthenticator and
authentication clients, in addition to management protocols such as HTTP, HTTPS, telnet, SSH, ping, and other
protocols you may choose to allow:
l
UDP/161 (SNMP)
TCP/389 (LDAP)
TCP/636 (LDAPS)
TCP/2560 (OCSP)
13
Administration Guide
Fortinet Technologies Inc.
Maintenance
Setup
6. Either enable the NTP, or manually enter the date and time. See Configuring the system time, time zone, and
date on page 23.
Enter a new time and date by either typing it manually, selecting Today or Now, or select the calendar or
clock icons for a more visual method of setting the date and time.
If you will be using FortiToken devices, Fortinet strongly recommends using NTP.
FortiToken Time based authentication tokens are dependent on an accurate system
clock.
7. Select OK.
8. If the FortiAuthenticator is connected to additional subnets, configure additional FortiAuthenticator interfaces as
required. See Interfaces on page 26.
Maintenance
System maintenance tasks include:
l
Licensing
https://support.fortinet.com.
2. Go to System> Administration > Firmware.
3. Select Browse..., and locate the firmware image on your local computer.
4. Select OK.
Administration Guide
Fortinet Technologies Inc.
14
Setup
Troubleshooting
When you select OK, the firmware image will upload from your local computer to the FortiAuthenticator
device, which will then reboot. You will experience a short period of time during this reboot when the
FortiAuthenticator device is offline and unavailable for authentication.
Licensing
FortiAuthenticator-VM works in evaluation mode until it is licensed. The license is valid only if one of the
FortiAuthenticator interfaces is set to the IP address specified in the license. See Licensing on page 37 for more
information.
To license FortiAuthenticator:
1. Go to System> Administration > Licensing.
2. Select Browse... and locate on your local computer the license file you received from Fortinet.
3. Select OK.
Troubleshooting
Troubleshooting includes useful tips and commands to help deal with issues that may occur. For additional help,
contact customer support. See Troubleshooting on page 137 for more information.
If you have issues when attempting authentication on a FortiGate unit using the FortiAuthenticator, there are
some FortiAuthenticator and FortiGate settings to check.
In addition to these settings you can use log entries, monitors, and debugging information to determine more
information about your authentication problems. For help with FortiAuthenticator logging, see Logging on page
132. For help with FortiGate troubleshooting, see the FortiOS Handbook Troubleshooting and User
Authentication guides chapters.
FortiAuthenticator settings
When checking FortiAuthenticator settings, you should ensure that:
l
l
there is an authentication client entry for the FortiGate unit. See RADIUS service on page 76,
the user trying to authenticate has a valid active account that is not disabled, and that the username and password
are spelled correctly,
the user account allows RADIUS authentication if RADIUS is enabled on the FortiGate unit,
the FortiGate unit can communicate with the FortiAuthenticator unit, on the required ports:
RADIUS Authentication: UDP/1812
LDAP: TCP/389
15
in the remote LDAP directory (if using RADIUS authentication with remote LDAP password validation),
the user is a member in the expected user groups and these user groups are allowed to communicate on the
authentication client (the FortiGate unit, for example),
Administration Guide
Fortinet Technologies Inc.
CLI commands
Setup
If authentication fails with the log error bad password, try resetting the password. If this fails, verify that the preshared secret is identical on both the FortiAuthenticator unit and the authentication client.
These steps enable the administrator to identify whether the problem is with the FortiGate unit, the credentials or
the FortiToken.
FortiGate settings
When checking FortiGate authentication settings, you should ensure that:
l
the user has membership in the required user groups and identity-based security policies,
there is a valid entry for the FortiAuthenticator device as a remote RADIUS or LDAP server,
CLI commands
The FortiAuthenticator has CLI commands that are accessed using SSH, or Telnet. Their purpose is to initially
configure the unit, perform a factory reset, or reset the values if the Web-based Manager is not accessible.
Command
Description
help
Display list of valid CLI commands. You can also enter ? for help.
exit
Command
Description
show
set port1-ip
<IP/netmask>
Enter the IPv4 address and netmask for the port1 interface. Netmask
is expected in the /xx format, for example 192.168.0.1/24.
Once this port is configured, you can use the web-based manager to
configure the remaining ports.
Enter the IPv4 address of the default gateway for this interface. This
is the default route for this interface.
Enter the current date. Valid format is four digit year, 2 digit month,
and 2 digit day. For example: set date 2014-08-12 sets the
date to August 12th, 2014.
Administration Guide
Fortinet Technologies Inc.
16
Setup
CLI commands
Command
set time <HH:MM:SS>
Enter the current time. Valid format is two digits each for hours,
minutes, and seconds. 24-hour clock is used. For example 15:10:00
is 3:10pm.
set tz <timezone_
index>
Enter the current time zone using the time zone index. To see a list
of index numbers and their corresponding time zones, enter set tz
?.
set ha-mode
{enable | disable}
set ha-port
<interface>
set ha-priority
{high | low}
Set to Low on one unit and High on the other. Normally, the unit
with High priority is the master unit.
set ha-password
<password>
set ha-mgmt-ip
<IP/netmask>
Enter the IP address, with netmask, that this unit uses for HA related
communication with the other FortiAuthenticator unit. Format:
1.2.3.4/24.
The two units must have different addresses. Usually, you should
assign addresses on the same private subnet.
set ha-mgmt-access
{ssh | https
| http | telnet}
set ha-dbg-level
<level>
unset <setting>
Restore default value. For each set command listed above, there is
an unset command, for example unset port1-ip.
Command
raid-add-disk <slot>
Command
ha-rebuild
17
Description
Description
Add a disk to a degraded RAID array.
Description
Rebuild the configuration database from scratch using the HA peer's
configuration.
Administration Guide
Fortinet Technologies Inc.
CLI commands
Command
Setup
Description
restore-admin
reboot
factory-reset
shutdown
status
Command
Description
hardware-info
disk-attributes
disk-errors
disk-health
disk-info
raid-hwinfo
Command
Description
nslookup
dig
ping
tcpdump
tcpdumpfile
traceroute
Administration Guide
Fortinet Technologies Inc.
18
System
The System tab enables you to manage and configure the basic system options for the FortiAuthenticator unit.
This includes the basic network settings to connect the device to the corporate network, the configuration of
administrators and their access privileges, managing and updating firmware for the device, and managing
messaging servers and services.
The System tab provides access to the following menus and sub-menus:
Dashboard
Network
Administration
Messaging
19
HA Status
Disk Monitor
DNS
Static routing
Packet capture
High availability
Firmware
Automatic backup
SNMP
Licensing
FortiGuard
FTP servers
Select this menu to configure messaging servers and services for the
FortiAuthenticator device.
l
SMTP servers
l
E-mail services
SMS gateways
Administration Guide
Fortinet Technologies Inc.
Dashboard
System
Dashboard
When you select the System tab, it automatically opens at the System > Dashboard page.
The Dashboard page displays widgets that provide performance and status information and enable you to
configure some basic system settings. These widgets appear on a single dashboard.
System Resources
Displays the usage status of the CPU and memory. For more information,
see System Resources widget on page 25.
Authentication Activity
User Inventory
HA Status
License Information
Administration Guide
Fortinet Technologies Inc.
20
System
Dashboard
Disk Monitor
Displays the top user lockouts. For more information, see Top User
Lockouts widget on page 26.
To move a widget
Position your mouse cursor on the widgets title bar, then click and drag the widget to its new location.
To add a widget
In the dashboard toolbar, select Add Widget, then select the name of widget that you want to show. Multiple
widgets of the same type can be added. To hide a widget, in its title bar, select the Close icon.
Widget Title
Edit
Refresh
Close
Select to remove the widget from the dashboard. You will be prompted to
confirm the action. To add the widget, select Widget in the toolbar and then
select the name of the widget you want to show.
21
Administration Guide
Fortinet Technologies Inc.
Dashboard
System
The DNS domain name. For more information, see Changing the DNS
domain name on page 23.
Serial Number
System Time
The current date, time, and time zone on the FortiAuthenticator internal
clock or NTP server. For more information, see Configuring the system
time, time zone, and date on page 23.
Firmware Version
The version number and build number of the firmware installed on the
FortiAuthenticator unit. To update the firmware, you must download the
latest version from the Customer Service & Support portal at
https://support.fortinet.com. Select Update and select the firmware image
to load from your management computer.
Architecture
System Configuration
Current Administrator
Uptime
The duration of time the FortiAuthenticator unit has been running since it
was last started or restarted.
Shutdown/Reboot
Administration Guide
Fortinet Technologies Inc.
22
System
Dashboard
3. Configure the following settings to either manually configure the system time, or to automatically synchronize the
FortiAuthenticator units clock with an NTP server:
23
Change Timezone
View the current time in the Current time field, and select the timezone
from the Time zone drop-down list.
NTP enabled
Select this option to automatically synchronize the date and time of the
FortiAuthenticator units clock with an NTP server, then configure the NTP
server field before you select OK.
NTP is critical for the time to be accurate and stable for the TOTP method
used in two-factor authentication to function correctly.
Administration Guide
Fortinet Technologies Inc.
Dashboard
System
NTP server
Set date/time
If NTP is not enabled, manually enter the date and time in the appropriate
fields. You can also select the calendar or clock icons to select a specific
date or general time from the pop-up menus.
Select Download backup file to save a backup file onto the management
computer.
Restore File
Restoring a configuration is only possible from a backup file made on the same model
running the same version of the operating system.
Administration Guide
Fortinet Technologies Inc.
24
System
Dashboard
Enter a custom widget title for the widget, or leave it blank to keep the
default title.
Refresh interval
Enter a custom refresh interval for the widget (in seconds), or leave it as the
default time of 300 seconds.
Time period
Select a time period for the graph to cover from the drop-down list. The
available options are: last 6 hours, last 24 hours, last 3 days, last 7 days,
and last 30 days.
Activity Type
Select the activity type to display in the graph. The available options are: All
login attempts, Successful login attempts, and Failed login attempts.
25
Administration Guide
Fortinet Technologies Inc.
Network
System
Network
The Network tree menu allows you to configure device interfaces, DNS configuration, static routing, and packet
capturing.
Interfaces
To view the interface list, go to System > Network > Interfaces.
The following information is shown:
Edit
Search
Enter a search term in the search text box then select Search to search the
interface list.
Interface
IPv4
IPv6
Link Status
To edit an interface:
1. In the interfaces list, select the interface you need to edit and select the Edit button, or select the interface name.
The Edit Network Interface window opens.
Administration Guide
Fortinet Technologies Inc.
26
System
Network
IP Address / Netmask
IPv4
Enter the IPv4 address and netmask associated with this interface.
IPv6
Access Rights
Admin access
Services
DNS
To configure DNS settings, go to System > Network > DNS. The primary and secondary nameserver IP
addresses can be changed as needed. To apply the changes, select OK.
Static routing
To view the list of static routes, go to System > Network > Static Routing. Routes can be created, edited, and
deleted as required.
27
Administration Guide
Fortinet Technologies Inc.
Network
System
Delete
Edit
IP/Mask
Gateway
The IP address of the next hop router to which this route directs traffic.
Device
Network interface
Gateway
Enter the IP address of the next hop router to which this route directs traffic.
Comment
Packet capture
Packets can be captured on configured interfaces by going to System > Network > PacketCapture.
The following information is available:
Edit
Interface
The name of the configured interface for which packets can be captured.
For information on configuring an interface, see Interfaces on page 26.
Administration Guide
Fortinet Technologies Inc.
28
System
Administration
Status
The status of the packet capture process. Allows you to start and stop the
capturing process, and download the most recently captured packets.
To start capturing packets on an interface, select the Start capturing button for that interface. The Status will
change to Capturing, and the Stop capturing and download buttons will become available.
Administration
Configure administrative settings for the FortiAuthenticator device. This section includes:
29
GUI access
High availability
Firmware
Automatic backup
SNMP
Licensing
FortiGuard
FTP servers
Administration Guide
Fortinet Technologies Inc.
Administration
System
GUI access
To adjust Web-based Manager access settings, go to System > Administration > GUI Access. The Edit GUI
Access Settings page will open.
Enter the amount of time before the Web-based Manager times out due to
inactivity, from 1 to 480 minutes.
HTTPS Certificate
Additional allowed
hosts/domain names
Specify any additional hosts that this site can serve, separated by commas
or line breaks.
Select OK to apply any changes. See Certificate Management on page 114 for more information about
certificates.
High availability
Two FortiAuthenticator units can operate as a cluster to provide even higher reliability, called HA.
There are three HA roles:
l
Cluster member
Standalone master
Load-balancing slave
Administration Guide
Fortinet Technologies Inc.
30
System
Administration
To configure FortiAuthenticator HA
1. On each unit, go to System > Administration > HighAvailability
2. Enter the following information:
Enable HA
Enable HA.
Role
Interface
Enter the IP address this unit uses for HA-related communication with the
other FortiAuthenticator unit. The two units must have different addresses.
Usually, you should assign addresses on the same private subnet.
Admin access
Priority
Set to Low on one unit and High on the other. Normally, the unit with High
priority is the master unit.
Password
Enter a string to be used as a shared key for IPsec encryption. This must be
the same on both units.
Group mappings
Other features, such as FSSO and certificates, cannot be synchronized between devices.
31
Administration Guide
Fortinet Technologies Inc.
Administration
System
The standalone master is the primary system where users, groups, and tokens are configured. The loadbalancing slave is synchronized to the master.
To improve the resilience of the master system, an active-passive master cluster with up to two load-balancing
slave devices can be configured.
To configure load-balancing HA
1. On each unit, go to System > Administration > HighAvailability
2. Enter the following information:
Enable HA
Enable HA.
Role
Password
Enter a string to be used as a shared key for IPsec encryption. This must be
the same on both units.
Load-balancing slaves
If you disable and then re-enable HA operation, the interface that was assigned to HA
communication will not be available for HA use. You must first go to System >
Network > Interfaces and delete the IP address from that interface.
Administration Guide
Fortinet Technologies Inc.
32
System
Administration
Firmware upgrade
When upgrading the firmware on FortiAuthenticator devices in an HA cluster, specific steps must be taken to
ensure that the upgrade is successful:
1. Start the firmware upgrade on the active, or master, device. See Upgrading the firmware on page 14.
The device will reboot. While the master device is rebooting, the standby, or slave, device becomes the
master.
2. Start the firmware upgrade on the new master device.
The device will reboot.
Once both devices have rebooted, the original master device will again be the master, while the slave device
will return to being the slave.
If a situation arises where both devices are claiming to be the HA master due to a firmware mismatch, and the HA
port of the device that is intended to be the slave cannot be accessed (such as when a crossover cable is being
used), use the following steps:
1. Shutdown the master device to which you have access, or, if physical access to the unit is not available to turn it
back on, reboot the device. See System Information widget on page 21.
Note that, if rebooting the device, Step 2must be completed before the device finishes rebooting, which is
can be as short as 30 seconds.
2. With the previously inaccessible device now accessible, upgrade its firmware to the required version so that both
devices have the same version.
The device will reboot.
3. If you shutdown the device in Step 1, power it back on.
Once both devices are back online, they will assume the HA roles dictated by their respective HA priorities.
Firmware
The FortiAuthenticator firmware can be upgraded by either going to System > Administration > Firmware, or
through the System Information widget of the dashboard (see System Information widget on page 21).
For instructions on upgrading the devices firmware, see Upgrading the firmware on page 14.
Upgrade history
The upgrade history of the device is shown under the Upgrade History heading in the Firmware Upgrade or
Downgrade pane. It displays the version that was upgraded to, the time and date that the upgrade took place,
and the user that performed the upgrade. This information can be useful when receiving support to identify
incorrect upgrade paths that can cause stability issues.
Always review all sections in the FortiAuthenticator Release Notes prior to upgrading your device.
Automatic backup
You can configure the FortiAuthenticator to automatically back up the configuration of the FortiAuthenticator unit
to an FTP or SFTP server.
Even though the backup file is encrypted to prevent tampering, access to the FTP server should be restricted.
This configuration file backup includes both the CLI and Web-based Manager configurations of the
33
Administration Guide
Fortinet Technologies Inc.
Administration
System
FortiAuthenticator unit. The backed-up information includes users, user groups, FortiToken device list,
authentication client list, LDAP directory tree, FSSO settings, remote LDAP and RADIUS, and certificates.
To configure automatic backups, go to System > Administration > Config Auto-backup.
Enter the following information, and then select OK to apply the settings:
Enable configuration autobackup
Frequency
Select the automatic backup frequency, one of: Hourly, Daily, Weekly, or
Monthly.
Backup time
Entire a time for the backups to occur, or select the clock icon and select
from the drop-down menu. You can also select Now to set the scheduled
time to the current time.
This options is not available when the frequency is set to hourly.
FTP directory
Enter the FTP directory where the backup configuration files will be saved.
FTP server
Select the FTP server to which the backup configuration files will be saved.
See FTP servers on page 38 for information on adding FTP servers.
SNMP
Simple Network Management Protocol (SNMP) enables you to monitor hardware on your network. You can
configure the hardware, such as the FortiAuthenticator SNMP agent, to report system information and send traps
(alarms or event messages) to SNMP managers. An SNMP manager, or host, is typically a computer running an
application that can read the incoming trap and event messages from the agent, and send out SNMP queries to
the SNMP agents.
By using an SNMP manager, you can access SNMP traps and data from any FortiAuthenticator interface
configured for SNMP management access. Part of configuring an SNMP manager is listing it as a host in a
community on the FortiAuthenticator unit it will be monitoring. Otherwise, the SNMP monitor will not receive any
traps from that unit, or be able to query that unit.
The FortiAuthenticator SNMP implementation is read-only. SNMP v1, v2c, and v3 compliant SNMP managers
have read-only access to system information through queries and can receive trap messages from the
FortiAuthenticator unit.
To monitor FortiAuthenticator system information and receive FortiAuthenticator traps, your SNMP manager
needs the Fortinet and FortiAuthenticator Management Information Base (MIB) files. A MIB is a text file that lists
the SNMP data objects that apply to the device to be monitored. These MIBs provide information that the SNMP
manager needs to interpret the SNMP trap, event, and query messages sent by the FortiAuthenticator unit SNMP
agent.
The Fortinet implementation of SNMP includes support for most of RFC 2665 (Ethernet-like MIB) and most of
RFC1213 (MIB II). RFC support for SNMP v3 includes Architecture for SNMP Frameworks (RFC 3411), and
partial support of User-based Security Model (RFC 3414).
Administration Guide
Fortinet Technologies Inc.
34
System
Administration
SNMP traps alert you to important events that occur, such as overuse of memory or a high rate of authentication
failures.
SNMP fields contain information about the FortiAuthenticator unit, such as CPU usage percentage or the number
of sessions. This information is useful for monitoring the condition of the unit on an ongoing basis and to provide
more information when a trap occurs.
Configuring SNMP
Before a remote SNMP manager can connect to the Fortinet agent, you must configure one or more interfaces to
accept SNMP connections by going to System > Network > Interfaces. Select the interface, and in
Administrative Access, select SNMP. See Interfaces on page 26.
You can also set the thresholds that trigger various SNMP traps. Note that a setting of zero disables the trap.
Enter the contact information for the person responsible for this
FortiAuthenticator unit.
SNMP Description
SNMP Location
The user table is nearly full. The threshold is a percentage of the maximum
permitted number of users.
The user group table is nearly full. The threshold is a percentage of the
maximum permitted number of user groups.
35
Administration Guide
Fortinet Technologies Inc.
Administration
System
Events
Select the events for which traps are enabled. Options include:
l
CPU usage is high
l
Memory is low
Interface IP is changed
4. In SNMPHosts, select Add another SNMP Host and enter the following information:
IP/Netmask
Queries
Traps
Delete
Administration Guide
Fortinet Technologies Inc.
36
System
Administration
Username
Security Level
Events
Select the events for which traps are enabled. See Events on page 36.
4. In SNMPNotificationHosts, select Add another SNMP Notification Host and enter the following information:
IP/Netmask
Delete
Licensing
FortiAuthenticator-VM works in evaluation mode until it is licensed. In evaluation mode, only a limited number of
users can be configured on the system. To expand this capability, a stackable licence can be applied to the
system to increase both the user count, and all other metrics associated with the user count.
When a license is purchased, a registration code is provided. Go to support.fortinet.com and register your device
by entering the registration code. You will be asked for the IP address of your FortiAuthenticator unit, and will
then be provided with a license key.
Ensure that the IP address specified while registering your unit is configured on one of the devices network
interfaces, then upload the license key to your FortiAuthenticator-VM.
The License Information widget shows the current state of the device license. See License Information widget on
page 25.
To license FortiAuthenticator:
1. Register your device.
2. Ensure that one of your devices network interfaces is configured to the IP address specified during registration.
3. Go to System> Administration > Licensing.
4. Select Browse... and locate, on your local computer, the license file you received from Fortinet.
5. Select OK.
37
Administration Guide
Fortinet Technologies Inc.
Administration
System
FortiGuard
To view and configure FortiGuard connections, go to System > Administration > FortiGuard. The FortiGuard
Distribution Network (FDN) page provides information and configuration settings for FortiGuard subscription
services. For more information about FortiGuard services, see the FortiGuard Center web page
(http://www.fortiguardcenter.com).
Configure the following settings, then select OK to apply them:
FortiGuard Subscription Services
Messaging
Service
SMS messages
The total number of allowed SMS messages, and the number of messages
that have been used.
Server port
Server port
Activation
timeout
Token size
Time step
Require PIN
Server port
FTP servers
To view a list of the configured FTP servers, go to System > Administration > FTP Servers.
The following information is shown:
Create New
Administration Guide
Fortinet Technologies Inc.
38
System
Messaging
Delete
Edit
Name
Server name/IP
Connection type
Server name/IP
Port
Anonymous
Username
Password
Messaging
The FortiAuthenticator unit sends email for several purposes, such as password reset requests, new user
approvals, user self-registration, and two-factor authentication.
By default, the FortiAuthenticator unit uses its built-in Simple Mail Transfer Protocol (SMTP) server. This is
provided for convenience, but is not necessarily optimal for production environments. Fortinet recommends that
you configure the unit to use a reliable external mail relay.
There are two distinct email services:
l
If you will send SMS messages to users, you must configure the SMS gateways that you will use. Ask your SMS
provider for information about using its gateway. The FortiAuthenticator SMS gateway configuration differs
according to the protocol your SMS provider uses.
SMTP servers
To view a list of the SMTP servers, go to System > Messages > SMTPServers.
The following information is shown:
39
Administration Guide
Fortinet Technologies Inc.
Messaging
System
Create New
Delete
Edit
Set as Default
Name
Server
Default
Shows a green circle with a check mark for the default SMTP server. To
change the default server, select the server you would like to use as the
default, then select Set as Default in the toolbar.
Server Name/IP
Enter the IP address or Fully Qualified Domain Name (FQDN) of the mail
server.
Port
The default port 25. Change it if your SMTP server uses a different port.
Enter the email address to put in the From field on email messages from
the FortiAuthenticator unit.
Secure connection
For a secure connection to the mail server, select STARTTLS from the
drop -down list, then select the CA certificate that validates the servers
certificate. For information about importing the CA certificate, see
Importing CA certificates and signing requests on page 123.
Enable authentication
Select if the email server requires you to authenticate when sending email.
Enter the Account username and Password if required.
Administration Guide
Fortinet Technologies Inc.
40
System
Messaging
3. Optionally, select TestConnection to send a test email message. Specify a recipient and select Send. Confirm
that the recipient received the message.
The recipients email system might treat the test email message as spam.
E-mail services
To view a list of the email services, go to System > Messages > E-mailServices.
The following information is shown:
Edit
Recipient
SMTP server
The SMTP server associated with the recipient. The server can be selected
from the drop-down list.
Save
41
SMTP Server
Public Address
Administration Guide
Fortinet Technologies Inc.
Messaging
System
Address
discovery method
Address
Port
Network interface
Select a configured network interface from the drop-down list. This option is
only available when the Address discovery method is set to Use the IP
address from a network interface.
SMS gateways
To view a list of the configured SMS gateways, go to System > Messages > SMS Gateways.
The following information is shown:
Create New
Delete
Edit
Set as Default
Name
Protocol
SMTP server
API URL
Default
Shows a green circle with a check mark for the default SMS gateway. To
change the default gateway, select the gateway you would like to use as
the default, then select Set as Default in the toolbar.
You can also configure the message that you will send to users. You can use the following tags for user-specific
information:
Administration Guide
Fortinet Technologies Inc.
42
System
Messaging
Tag
Information
{{:country_code}}
{{:mobile_number}}
{{:message}}
43
Name
Protocol
Select SMTP.
SMTP server
Select the SMTP server you use to contact the SMS gateway. The SMTP
server must already be configured, see SMTP servers on page 39.
Mail-to-SMS gateway
Subject
Body
E-mail Preview
Administration Guide
Fortinet Technologies Inc.
Messaging
System
3. Optionally, select Test Settings to send a test SMS message to the user.
4. Select OK to create a new SMTP SMS gateway.
Protocol
HTTP/HTTPS
HTTP method
API URL
CA certificate
Select CA certificate that validates this SMS provider from the drop-down
list. This option is only available if Protocol is set to HTTPS.
HTTP Parameters
Field
Enter the parameter names that the SMS providers URL requires, such as
user and password.
Value
Delete
3. If you need more parameter entries, select Add another SMS Gateway HTTP Parameter.
4. Optionally, select Test Settings to send a test SMS message to the user.
5. Select OK to create a new HTTP or HTTPS SMS gateway.
Administration Guide
Fortinet Technologies Inc.
44
Authentication
FortiAuthenticator provides an easy to configure authentication server for your users. Multiple FortiGate units can
use a single FortiAuthenticator unit for remote authentication and FortiToken device management.
What to configure
User management
Self-service portal
RADIUS service
LDAP service
FortiAuthenticator agent
What to configure
You need to decide which elements of FortiAuthenticator configuration you need.
l
45
Determine the type of authentication you will use: password-based or token-based. Optionally, you can enable both
types, this is called two-factor authentication.
Administration Guide
Fortinet Technologies Inc.
What to configure
Authentication
Determine the type of authentication server you will use: RADIUS, built-in LDAP, or Remote LDAP. You will need to
use at least one of these server types.
Determine which FortiGate units or third-party devices will use the FortiAuthenticator unit. The FortiAuthenticator
unit must be configured on each FortiGate unit as an authentication server, either RADIUS or LDAP. For RADIUS
authentication, each FortiGate unit or third-party device must be configured on the FortiAuthenticator unit as an
authentication client.
Password-based authentication
User accounts can be created on the FortiAuthenticator device in multiple ways:
l
Administrator creates a username and a random password is automatically emailed to the user.
Users are created by importing either a CSV file or from an external LDAP server.
Users can self-register for password-based authentication. This reduces the workload for the system
administrator. Users can choose their own passwords or have a randomly generated password provided in the
browser or sent to them through email or SMS. Self-registration can be instant, or it can require administrator
approval. See Self-registration on page 69.
Once created, users are automatically part of the RADIUS Authentication system and can be authenticated
remotely.
See User management on page 51 for more information about user accounts.
Two-factor authentication
Two-factor authentication increases security by requiring multiple pieces of information on top of the username
and password. There are generally two factors:
l
Requiring the two factors increases the difficulty for an unauthorized person to impersonate a legitimate user.
To enable two-factor authentication, configure both password-based and token-based authentication in the users
account.
FortiAuthenticator token-based authentication requires the user to enter a numeric token at login. Two types of
numerical tokens are supported:
l
FortiToken 200
Administration Guide
Fortinet Technologies Inc.
46
Authentication
What to configure
The token passcode is generated using an event trigger and a secret key. Event tokens are supported using a
valid email account and a mobile phone number with SMS service.
FortiToken devices, FortiToken Mobile apps, email addresses, and phone numbers must be configured in the
users account.
Only the administrator can configure token-based authentication. See Configuring token based authentication
on page 55.
Authentication servers
The FortiAuthenticator unit has built-in RADIUS and LDAP servers. It also supports the use of remote RADIUS
and LDAP (which can include Windows AD servers).
The built-in servers are best used where there is no existing authentication infrastructure, or when a separate set
of credentials is required. You build a user account database on the FortiAuthenticator unit. The database can
include additional user information such as street addresses and phone numbers that cannot be stored in a
FortiGate units user authentication database. To authenticate, either LDAP or RADIUS can be used. The remote
LDAP option adds your FortiGate units to an existing LDAP structure. Optionally, you can add two-factor
authentication to remote LDAP.
RADIUS
If you use RADIUS, you must enable RADIUS in each user account. FortiGate units must be registered as a
RADIUS authentication clients in Authentication > RADIUS Service > Clients. See RADIUS service on page 76.
On each FortiGate unit that will use the RADIUS protocol, the FortiAuthenticator unit must be configured as a
RADIUS server in User&Device > Authentication > RADIUSServer.
Built-in LDAP
If you use built-in LDAP, you will need to configure the LDAP directory tree. You add users from the user database
to the appropriate nodes in the LDAP hierarchy. See Creating the directory tree on page 81. On each FortiGate
unit that will use LDAP protocol, the FortiAuthenticator unit must be configured as an LDAP server in
User&Device>Authentication >LDAPServer.
Remote LDAP
Remote LDAP is used when an existing LDAP directory exists and should be used for authentication. User
information can be selectively synchronised with the FortiAuthenticator unit, but the user credentials (passwords)
remain on, and are validated against the LDAP directory.
To utilize remote LDAP, the authentication client (such as a FortiGate device) must connect to the
FortiAuthenticator device using RADIUS to authenticate the user information (see
User&Device>Authentication>RADIUSServer). The password is then proxied to the LDAP server for
validation, while any associated token passcode is validated locally.
Machine authentication
Machine, or computer, authentication is a feature of the Windows supplicant that allows a Windows machine to
authenticate to a network via 802.1X prior to user authentication.
Machine authentication is performed by the computer itself, which sends its computer object credentials before
the Windows logon screen appears. User authentication is performed after the user logs in to Windows.
47
Administration Guide
Fortinet Technologies Inc.
Authentication
Based on the computer credentials provided during machine authentication, limited access to the network can be
granted. For example, access can be granted to just the Active Directory server to enable user authentication.
Following machine authentication, user authentication can take place to authenticate that the user is also valid,
and to then grant further access to the network.
Machine authentication commonly occurs on boot up or log out, and not, for example, when a device awakens
from hibernation. Because of this, the FortiAuthenticator caches authenticated devices based on their MAC
addresses for a configurable period (see General on page 48). For more information on cached users, see
Windows device logins on page 112
To configure machine authentication, see Clients on page 76.
General
To configure general account policy settings, go to Authentication > User Account Policies > General.
Configure the length of time, plus or minus the current time, that a
FortiToken code is deemed valid, from 1 to 60 minutes (default = 1 minute).
Configure the period of time in which the entry of an invalid tokem can
trigger a synchronization, from 5 to 480 minutes (default = 60 minutes).
If the token is incorrect according to the FortiToken valid window, but exists
in the sync window, synchronization will be initiated.
Set a time after which a token code sent via email or SMS will be marked as
expired, from 10 to 3600 seconds.
Administration Guide
Fortinet Technologies Inc.
48
Authentication
Automatically purge
expired user accounts
Select to restrict web service access to a specific port, then select the port
from the Web service interface drop-down list.
Lockouts
For various security reasons, you may want to lock a users account. For example, repeated unsuccessful
attempts to log in might indicate an attempt at unauthorized access.
Information on locked out users can be viewed in the Top User Lockouts widget, see Top User Lockouts widget
on page 26.
Currently locked out users can be viewed in Monitor > Authentication > Inactive Users, see Inactive users on
page 113.
Specify lockout
period
Enable user account lockout for failed login attempts and enter the
maximum number of allowed failed attempts in the Max. failed login
attempts field.
Select to specify the length of the lockout period, from 60 to 86400
seconds. After the lockout period expires, the Max. failed login attempts
number applies again.
When disabled, locked out users will be permanently disabled until an
administrator manually re-enables them.
Select to enable disabling a user account if there is no login activity for a
given number of days. In the Lock out inactive users after field, enter the
number of days, from 1 to 1825, after which a user is locked out.
Passwords
You can enforce a minimum length and complexity for user passwords, and can force users to change their
passwords periodically.
For information on setting a users password, and password recovery options, see Editing a user on page 54.
Go to Authentication > User Account Policies > Passwords to configure password policy settings.
49
Administration Guide
Fortinet Technologies Inc.
Authentication
Administration Guide
Fortinet Technologies Inc.
50
Authentication
User management
User management
FortiAuthenticators user database has the benefit of being able to associate extensive information with each
user, as you would expect of RADIUS and LDAP servers. This information includes: whether the user is an
administrator, uses RADIUS authentication, uses two-factor authentication, and personal information such as full
name, address, password recovery options, and the groups that the user belongs to.
The RADIUS server on the FortiAuthenticator unit is configured using default settings. For a user to authenticate
using RADIUS, the option Allow RADIUS Authentication must be selected for that users entry, and the
FortiGate unit must be added to the authentication client list. See RADIUS service on page 76.
This section includes the following subsections:
l
Administrators
Local users
Remote users
User groups
Organizations
FortiTokens
MAC devices
RADIUS attributes
Administrators
Administrator accounts on FortiAuthenticator are standard user accounts that are flagged as administrators. Both
local users and remote LDAP users can be administrators.
Once flagged as an administrator, a user accounts administrator privileges can be set to either full access or
customized to select their administrator rights for different parts of the FortiAuthenticator unit.
The subnets from which administrators are able to log in can be restricted by entering the IP addresses and
netmasks of trusted management subnets.
There are log events for administrator configuration activities. Administrators can also be configured to
authenticate to the local system using two-factor authentication.
An account marked as an administrator cannot be used for RADIUS authentication.
See Configuring a user as an administrator on page 56 for more information.
51
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
Local users
Local user accounts can be created, imported, exported, edited, and deleted as needed. Expired local user
accounts can be purged manually or automatically (see General on page 48).
To manage local user accounts, go to Authentication > User Management > Local Users.
The local user account list shows the following information:
Create New
Import
Export Users
Purge Expired
Edit
Delete
Search
Enter a search term in the search field, then select Search to search the
user account list.
Username
First name
Last name
Email address
Admin
Status
If the user account is enabled, a green circle with a check mark is shown.
Token
The token that is assigned to that user account. Select the token name to
edit the FortiToken, see FortiToken device maintenance on page 67.
Groups
Administration Guide
Fortinet Technologies Inc.
52
Authentication
User management
Authentication Method
Expiration
The date and time that the user account expires, if an expiration date and
time have been set for the account.
Adding a user
When creating a user account, there are three ways to handle the password:
l
The FortiAuthenticator unit creates a random password and automatically emails it to the new user.
Password creation
Expire after
Set an expire date: Enter the date on which the account will expire,
either by manually typing it in, or by selecting the calendar icon
then selecting a date on the pop-up calendar.
53
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
Editing a user
User accounts can be edited at any time. When creating a new user, you will be immediately redirected to the
Change user window to complete the user configuration.
To view the Change user window, go to the user account list, select the user you will be editing, and then select
Edit from the toolbar. Conversely, selecting the username in the user list will also open the Change user window.
Disabled
Password-based
authentication
Token-based authentication
User Role
Administration Guide
Fortinet Technologies Inc.
54
Authentication
User management
Role
Allow RADIUS
authentication
Allow LDAP
browsing
User Information
Enter user information, such as their address and phone number. See
Adding user information on page 56.
Alternative e-mail
addresses
Password Recovery
Options
Groups
Assign the user to one or more groups. See User groups on page 62.
E-mail Routing
Enter a mail host and routing address into their respective fields to
configure email routing for the user.
Radius Attributes
Certificate Bindings
Add, edit, or removed certificate bindings for the user account. See
Configuring certificate bindings on page 58.
Select the certificate name to view the certificate, or select the Revoke
Certificate button to revoke the certificate.
Select OK when you have finished editing the users information and settings.
a FortiToken device or mobile device with the FortiToken Mobile app installed,
If a FortiToken device or FortiToken Mobile app will be used, it must first be registered in Authentication > User
Management > FortiTokens. See FortiTokens on page 64 for more information.
55
Select FortiToken, then select the FortiToken device serial number from the FortiToken200 or FortiToken
Mobile drop-down lists, as appropriate.
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
The device must be known to the FortiAuthenticator unit. See FortiToken devices and mobile apps on page
65.
Optionally, select Configure a temporary e-mail/SMS token to receive a temporary token code via email or
SMS.
l
Select Email and enter the users email address in the User Information section.
Select SMS and enter the users mobile number in the User Information section.
4. Select Test Token to validate the token passcode. The Test Token window opens.
a. For email and SMS tokens, confirm that the contact information is correct, select Next, then enter the
token code received via email or SMS.
b. Select Back to return to edit the contact information, select Verify to verify the token passcode, or select
Resend Code if a new code is required.
c. For FortiToken, enter the token code in the Token code field, then select Verify to verify the token
passcode.
5. Select OK.
By default, token-based authentication must be completed within 60 seconds after the
token passcode is sent by email or SMS. To change this timeout, go to Authentication
> User Account Polices > Lockouts and modify the Email/SMS Token Timeout field,
see Lockouts on page 49.
First name
Administration Guide
Fortinet Technologies Inc.
Last name
56
Authentication
User management
Email address
Phone number
Mobile number
Street address
City
State/Province
57
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
3. In the Password Recovery Options section, select Security Question, and select Edit.
4. Choose one of the questions in the list, or select Write my own question and enter a question in the Custom
question field.
5. Enter the answer for your question.
6. Select OK.
If an email address was entered, check your email, open the email and select the password recovery link.
If a username was entered, answer the security question and then select Next.
The recovery options available depend on the settings in the user account.
6. On the Reset Password page, enter and confirm a new password and then select Next.
The user can now authenticate using the new password.
Create a user certificate for the user, see To create a new certificate: on page 116.
Administration Guide
Fortinet Technologies Inc.
58
Authentication
User management
Remote users
Remote LDAP users must be imported into the FortiAuthenticator user database from LDAP servers, see LDAP
on page 73. A maximum of five users can be imported.
A FortiToken device already allocated to a local account cannot be allocated to an
LDAP user as well; it must be a different FortiToken device.
Remote RADIUS users can be created, migrated to LDAP users, edited, and deleted.
LDAP users
To import remote LDAP users:
1. Go to Authentication > User Management > Remote Users, ensure that LDAP users is selected, then select
Import. The Import Remote LDAP Users screen open.
2. Select a remote LDAP server from the Remote LDAP Server drop-down list, then select Import Users.
An LDAP server must already be configured to select it in the drop-down list. See
Remote authentication servers on page 73 for information on adding a remote LDAP
server.
The Import Remote LDAP Users window opens in a new browser window.
3. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to
clear the filters.
4. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP
implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
Selecting the field, FirstName for example, presents a list of attributes which have been detected and can be
selected. This list is not exhaustive and additional, non-displayed attributes may be available for import.
Consult your LDAP administrator for a list of available attributes.
5. Select the entries you want to import.
6. Optionally, select an organization from the Organization drop-down to associated the imported users with a
specific organization. See Organizations on page 63.
7. Select OK.
59
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
The amount of time required to import the remote users will vary depending on the number of users being
imported.
RADIUS users
To view remote RADIUS users, go to Authentication > User Management > Remote Users and select RADIUS
users in the toolbar. See RADIUS on page 76 for more information about remote RADIUS servers.
The following options are available:
Create New
Delete
Edit
Migrate
Select to migrate the selected user or users. See To migrate RADIUS users
to LDAP users: on page 61.
Token-based Auth
Search
Username
Token
Enforce token-based
authentication
Administration Guide
Fortinet Technologies Inc.
60
Authentication
User management
Select the remote RADIUS server on which the user will be created from
the drop-down list. For more information on remote RADIUS servers, see
RADIUS on page 76.
Username
Enter a username.
Enforce token-based
authentication if configured
below
Token-based authentication
Deliver token
code by
Select the method by which token code will be delivered. One of:
l
FortiToken: select the FortiToken device serial number from the
FortiToken200 or FortiToken Mobile drop-down lists, as
appropriate.
1. The device must be known to the FortiAuthenticator unit. See
FortiToken devices and mobile apps on page 65.
2. Optionally, select Configure a temporary e-mail/SMS token to
receive a temporary token code via email or SMS.
l
User Information
Email address
Language
61
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
Remote LDAP
Sync every
LDAP filter
Optionally, enter an LDAP filter. Select Test Filter to test that the filter
functions as expected.
Token-based authentication
sync priorities
Sync as
Optionally, select a group from the drop-down list with which to associate
the users with, or select Create New to create a new user group. See User
groups on page 62.
Organization
Preview Mapping
User groups
Users can be assigned to groups during user account configuration (see Editing a user on page 54), or by editing
the groups to add users to it.
To view the user groups list, go to Authentication > UserManagement > UserGroups.
Administration Guide
Fortinet Technologies Inc.
62
Authentication
User management
Type
Users
Select users from the Available users box and move them to the Selected
users box to add them to the group.
This option is only available if Type is Local.
User retrieval
Remote LDAP
Select a remote LDAP server from the drop-down list. At least one remote
LDAP server must already be configured, see Remote authentication
servers on page 73.
This option is only available if Type is Remote LDAP.
Remote RADIUS
Select a remote RADIUS server from the drop-down list. At least one
remote RADIUS server must already be configured, see Remote
authentication servers on page 73.
This option is only available if Type is Remote RADIUS.
LDAP filter
Enter an LDAP filter. Optionally, select Test filter to ensure that the filter
works as expected.
This option is only available if Type is Remote LDAP and User retrieval is
set to Specify an LDAP filter.
LDAP users
Select remote LDAP users from the Available LDAP users box and move
them to the Selected LDAP users box to add them to the remote group.
This option is only available if Type is Remote LDAP and User retrieval is
set to Set a list of imported remote users.
RADIUS users
Select remote RADIUS users from the Available RADIUS users box and
move them to the Selected RADIUS users box to add them to the remote
group.
This option is only available if Type is Remote RADIUS.
Organizations
Organizations include a name and logo. An organization can be associated with local and remote users.
63
Administration Guide
Fortinet Technologies Inc.
User management
Authentication
When a user provisions FortiToken Mobile on their device, the organization name and logo are automatically
pushed to the device, allowing the FortiToken Mobile Apps user interface to be rebranded.
Organizations can be created, edited, and deleted as needed. Organization are applied to users from the various
user management pages. See Local users on page 52, Remote users on page 59, and Remote user sync rules on
page 61.
To manage organizations, go to Authentication > User Management > Organizations.
FortiTokens
Go to Authentication > User Management > FortiTokens to view a list of configured FortiTokens. From here,
FortiTokens can be added, imported, exported, edited, deleted, and activated. For more information, see
FortiToken devices and mobile apps on page 65.
The following information is shown:
Create New
Import
Export
Delete
Edit
Activate
Search
Enter a search term in the search field, then select Search to search the
FortiToken list.
Serial number
Token type
Status
Administration Guide
Fortinet Technologies Inc.
64
Authentication
Comment
User
Size
Drift
Timestep
FTM License
MAC devices
Non-802.1X compliant devices can be identified and accepted onto the network using MAC address
authentication. See Non-compliant devices on page 88 for more information.
RADIUS attributes
Some services can receive information about an authenticated user through RADIUS vendor-specific attributes.
FortiAuthenticator user groups and user accounts can include RADIUS attributes for Fortinet and other vendors.
Attributes in user accounts can specify user-related information. For example, the Default attribute Framed-IPAddress specifies the VPN tunnel IP address to be sent to the user by the Fortinet SSL VPN.
Attributes in user groups can specify more general information, applicable to the whole group. For example,
specifying third-party vendor attributes to a switch could enable administrative level login to all members of the
Network_Admins group, or authorize the user to the correct privilege level on the system.
65
Administration Guide
Fortinet Technologies Inc.
Authentication
Each FortiAuthenticator unit or virtual machine (VM) is supplied with two trial
FortiToken Mobile tokens. To obtain the free FortiToken Mobile tokens (if they have
not been created dynamically on install), select Get FortiToken Mobile trial tokens
when adding a token.
This may be required if, for example, you are upgrading an unlicensed
FortiAuthenticator unit to a licensed one, as the old tokens associated with the
unlicensed serial number will not be compatible with the new, licensed serial number.
The tokens will still work, but they are not able to be reassigned to a new user. In this
case, you must delete the old tokens, and then generate new ones.
If using a token passcode that is time-based, it is imperative that the FortiAuthenticator unit clock is accurate. If
possible, configure the system time to be synchronized with an NTP server.
To perform token-based authentication, the user must enter the token passcode. If the users username and
password are also required, this is called two-factor authentication. The displayed code changes every 60
seconds on a FortiToken device, and can be changed every 30 seconds on FortiToken Mobile.
The FortiToken device has a small hole in one end. This is intended for a lanyard to be inserted so the device can
be worn around the neck, or easily stored with other electronic devices. When not in use, the LCD screen is shut
down to extend the battery life.
Do not put the FortiToken device on a key ring as the metal ring and other metal
objects can damage it. The FortiToken is an electronic device like a cell phone and
should be treated with similar care.
See FortiTokens on page 64 for more information.
Administration Guide
Fortinet Technologies Inc.
66
Authentication
You can also import multiple tokens by selecting Import Multiple, or by selecting Add all FortiTokens from
the same Purchase Order then entering a single token's serial number; all tokens associated with that
purchase order will then be imported.
4. If FortiToken Mobile is selected as the Token Type, enter the activation codes in the Activation codes field, or
select Get FortiToken Mobile free trial tokens to use temporary tokens.
5. Select OK to add the FortiToken or FortiTokens.
Select Serial numberfile to load a CSV file that contains token serial numbers for the tokens. (FortiToken
devices have a barcode on them that can help you read serial numbers to create the import file.)
Select Seedfile to load a CSV file that contains the token serial numbers, encrypted seeds, and IV values.
(FortiToken devices have a barcode on them that can help you read serial numbers to create the import file.)
To export FortiTokens:
1. From the FortiToken list, select Export FTK-200.
2. Save the file to your computer.
Monitoring FortiTokens
To monitor the total number of FortiToken devices registered on the FortiAuthenticator unit, as well as the
number of disabled FortiTokens, go to System > Dashboard > Status and view the User Inventory widget (see
User Inventory widget on page 25).
You can also view the list of FortiTokens, their status, if their clocks are drifting, and which user they are assigned
to from the FortiToken list found at Authentication > User Management > FortiTokens, see FortiTokens on page
64.
67
Administration Guide
Fortinet Technologies Inc.
Self-service portal
Authentication
The device history can be viewed, showing all commands applied to this FortiToken.
Self-service portal
The self-service portal provides options for configuring general self-service portal options, access control settings,
self-registration options, replacement messages, and device self-enrollment settings.
Administration Guide
Fortinet Technologies Inc.
68
Authentication
Self-service portal
General
To configure general self-service portal settings, go to Authentication > Self-service Portal > General.
The following settings can be adjusted:
Default portal language
Add a Language
Pack
Site name
Enter a name that is used when referring to this site. If left blank, the
default name will be the site DNS domain name or IP address.
E-mail Signature
Access control
To configure self-service portal access settings, go to Authentication > Self-service Portal > Access Control.
The following settings can be adjusted:
Username input format
Select the input format for the username, one of: username@realm,
realm\username, realm/username. The realm name is optional when
authentication against the default realm.
Realms
Add realms to which the user will be associated. See Realms on page 78.
l
Select a realm from the drop-down list in the Realm column.
l
Select the realm that will be the default realm for this client.
Self-registration
When self-registration is enabled, users can request registration through the FortiAuthenticator login page. Selfregistration can be configured so that a user request is emails to the device administrator for approval.
When the account is ready for use, the user receives an email or SMS message with their account information.
69
Administration Guide
Fortinet Technologies Inc.
Self-service portal
Authentication
To enable self-registration:
1. Go to Authentication > Self-service Portal > SelfRegistration.
Enable e-mail to
freeform
addresses
Enable e-mail to
administrator
accounts
Select a group into which self-registered users will be placed from the dropdown list.
Password creation
Choose how to send account information to the user, either SMS, E-mail,
or Display on browser page.
The Display on browser page option is only available if administrator
approval is not required.
Administration Guide
Fortinet Technologies Inc.
70
Authentication
Self-service portal
SMS gateway
Select an SMS gateway from the drop-down list. See SMS gateways on
page 42 for more information.
Required Field
Configuration
Select the fields that the user is required to populate when self-registering.
Options include: First name, Last name, E-mail, address, Address, City,
State/Province, Country, Phone number, Mobile number, Custom field 1,
Custom field 2, and Customfield3.
For information about custom fields, see Custom user fields on page 51.
To request registration:
1. Browse to the IP address of the FortiAuthenticator unit.
Security policies must be in place on the FortiGate unit to allow these sessions to be established.
2. Select Register to open the user registration page.
3. Fill in all the required fields and, optionally, fill in the Additional Information fields
4. Select OK. to request registration.
If administrator approval is not required and Display on browser page is enabled, the account details are
immediately displayed to the user.
Replacement message
The replacement messages list enables you to view and customize replacement messages, and manage images.
Go to Authentication > Self-service Portal > Replacement Message to view the replacement message list.
71
Administration Guide
Fortinet Technologies Inc.
Self-service portal
Authentication
The replacement messages are split into five categories: Account, Authentication, Device Certificate
Enrollment, Password Reset, and User Registration.
Selecting a specific message will display the text and HTML or plain text of the message in the lower half of the
content pane.
Selecting Show Tag List will display a table of the tags used for that message atop the messages HTML or plain
text box.
Manage Images
Images can be managed by selecting Manage Images in the Replacement Message window.
Select Return to return to the replacement messages screen. Images can also be added, deleted, and edited.
To add an image:
1. In the manage images screen, select Create New to open the Create New Image window.
2. Enter a name for the image in the Name field.
3. Select Browse..., find the GIF, JPEG, or PNG image file that you are adding, and then select Open.
Administration Guide
Fortinet Technologies Inc.
72
Authentication
To delete an image:
1. In the manage images screen, select an image, then select Delete.
2. Select Yes, Im sure in the confirmation window to delete the image.
To edit an image:
In the manage images screen, select an image, then select Edit.
1. In the Edit Image window, edit the image name and file as required.
2. Select OK to apply your changes.
Device self-enrollment
Device certificate self-enrollment is a method for users to obtain certificates for their devices. It can be used to
enable EAP-TLS for BYOD configurations, or for VPN authentication. For more information, see Device selfenrollment on page 87.
LDAP
If you have existing LDAP servers, you may choose to continue using them with FortiAuthenticator by configuring
them as remote LDAP servers.
When entering the remote LDAP server information, if any information is missing or in
the wrong format, error messages will highlight the problem for you.
73
Administration Guide
Fortinet Technologies Inc.
Authentication
Port
Select to use a secondary server. The secondary server name/IP and port
must be entered.
Enter the IP address or FQDN for the secondary remote server. This option
is only available when Use secondary server is selected.
Secondary port
Enter the port number for the secondary server.This option is only available
when Use secondary server is selected.
Enter the base distinguished name for the server using the correct X.500 or
LDAP format. The maximum length of the DN is 512 characters.
You can also select the browse button to view and select the DN on the
LDAP server.
Administration Guide
Fortinet Technologies Inc.
74
Authentication
Bind Type
The type of object class to search for a user name search. The default is
person.
Username attribute
The LDAP attribute that contains the user name. The default is
sAMAccountName.
Group membership
attribute
3. If you want to have a secure connection between the FortiAuthenticator unit and the remote LDAP server, under
Secure Connection, select Enable, then enter the following:
Protocol
CA Certificate
Select the CA certificate that verifies the server certificate from the dropdown list.
4. If you want to authenticate users using MSCHAP2 PEAP in an Active Directory environment, enable Windows
Active Directory Domain Authentication, then enter the required Windows AD Domain Controller information.
Kerberos realm name
FortiAuthentication
NetBIOS name
Enter the NetBIOS name that will identify the FortiAuthenticator unit as a
domain member.
Administrator username
Enter the name of the user account that will be used to associate the
FortiAuthenticator unit with the domain. This user must have at least
Domain User privileges.
Administrator password
When you are finished here, go to Authentication > RADIUS Service > Clients to choose whether
authentication is available for all Windows AD users or only for Windows AD users who belong to particular
user groups that you select. See RADIUS service on page 76 for more information.
5. Select OK to apply your changes.
You can now add remote LDAP users, as described in Remote users on page 59.
75
Administration Guide
Fortinet Technologies Inc.
RADIUS service
Authentication
RADIUS
If you have existing RADIUS servers, you may choose to continue using them with FortiAuthenticator by
configuring them as remote RADIUS servers.This feature can also be used to migrate away from third party twofactor authentication platforms.
When entering the remote RADIUS server information, if any information is missing or
in the wrong format, error messages will highlight the problem for you.
Primary Server
Enter the server name or IP address, port and secret in their requisite
locations to configure the primary server.
Secondary Server
User Migration
Select Enable learning mode to record and learn users that authenticate
against this RADIUS server. This option should be enabled if you need to
migrate users from the server to the FortiAuthenticator.
Select View Learned Users to view the list of learned users. See Learned
RADIUS users on page 113.
RADIUS service
Before the FortiAuthenticator unit can accept RADIUS authentication requests from a FortiGate unit, the
FortiGate unit must be registered as a authentication client on the FortiAuthenticator unit.
The FortiAuthenticator RADIUS server is already configured and running with default values. Each user account
on the FortiAuthenticator unit has an option to authenticate the user using the RADIUS database.
Every time there is a change to the list of RADIUS authentication clients, two log messages are generated: one
for the client change, and one to state that the RADIUS server was restarted to apply the change.
FortiAuthenticator unit allows both RADIUS and remote authentication for RADIUS authentication client entries.
If you want to use a remote server, you must configure it first so that you can be select it in the RADIUS
authentication client configuration, see Remote authentication servers on page 73. You can configure the built-in
LDAP server before or after creating client entries, see LDAP service on page 79.
Clients
RADIUS accounting client can be managed from Authentication > RADIUS Service > Clients.
Clients can be added, imported, deleted, edited, and cloned as needed.
Administration Guide
Fortinet Technologies Inc.
76
Authentication
RADIUS service
Client name/IP
Secret
Description
Authentication method
Realms
username@realm
realm\username
realm/username.
Add realms to which the client will be associated. See Realms on page 78.
l
Select a realm from the drop-down list in the Realm column.
l
l
l
Allow MAC-based
authentication
77
Select the realm that will be the default realm for this client.
Administration Guide
Fortinet Technologies Inc.
RADIUS service
Authentication
Check machine
authentication
Override group
membership
when
EAP types
Select the conditions for when a group membership can be overridden from
the Only machine-authenticated and Only user-authenticated drop-down
lists.
Select the 802.1X EAP authentication types to accept. If you require
mutual authentication, select EAP-TLS.
For more information, see EAP on page 85.
Realms
Realms allow multiple domains to authenticate to a single FortiAuthenticator unit. They support both LDAP and
RADIUS remote servers. Each RADIUS realm is associated with a name, such as a domain or company name,
that is used during the log in process to indicate the remote (or local) authentication server on which the user
resides.
For example, the username of the user PJFry, belonging to the company P_Express would become any of the
following, depending on the selected format:
l
PJFry@P_Express
P_Express\PJFry
P_Express/PJFry
The FortiAuthenticator uses the specified realm to identify the back-end RADIUS or LDAP authentication server
or servers that are used to authenticate the user.
Acceptable realms can be configured on a per RADIUS server client basis when configured RADIUS service
clients. See Clients on page 76.
To manage the realms, go to Authentication > RADIUS Service > Realms.
Administration Guide
Fortinet Technologies Inc.
78
Authentication
LDAP service
Create New
Delete
Edit
Name
User Source
LDAP service
LDAP is an Internet protocol used to maintain authentication data that may include departments, people, groups
of people, passwords, email addresses, and printers. LDAP consists of a data-representation scheme, a set of
defined operations, and a request/response network.
In the LDAP protocol there are a number of operations a client can request such as search, compare, and add or
delete an entry. Binding is the operation where the LDAP server authenticates the user. If the user is successfully
authenticated, binding allows the user access to the LDAP server based on that users permissions.
General
To configure general LDAP service settings, go to Authentication > LDAP Service > General.
79
Select the certificate that the LDAP server will present from the drop-down
list.
Administration Guide
Fortinet Technologies Inc.
LDAP service
Authentication
Select the CA certificate that issued the server certificate from the dropdown list.
Country (c)
User (uid)
Organization (o)
The user account entries relevant to user authentication will have element names such as UID (user ID) or CN
(common name, the users name). They can each be placed at their appropriate place in the hierarchy.
Complex LDAP hierarchies are more common in large organizations where users in different locations and
departments have different access rights. For basic authenticated access to your office network or the Internet, a
much simpler LDAP hierarchy is adequate.
The following is a simple example of an LDAP hierarchy in which the all user account entries reside at the
Organization Unit (OU) level, just below DC.
When requesting authentication, an LDAP client, such as a FortiGate unit, must specify the part of the hierarchy
where the user account record can be found. This is called the Distinguished Name (DN). In the above example,
DN is ou=People,dc=example,dc=com.
Administration Guide
Fortinet Technologies Inc.
80
Authentication
LDAP service
The authentication request must also specify the particular user account entry. Although this is often called the
Common Name (CN), the identifier you use is not necessarily CN. On a computer network, it is appropriate to use
UID, the persons user ID, as that is the information that they will provide at logon.
81
Administration Guide
Fortinet Technologies Inc.
LDAP service
Authentication
Administration Guide
Fortinet Technologies Inc.
82
Authentication
LDAP service
83
Name
Server Name / IP
Server Port
Distinguished Name
Enter the LDAP node where the user account entries can be found. For
example, ou=People,dc=example,dc=com
Administration Guide
Fortinet Technologies Inc.
FortiAuthenticator agent
Bind Type
Authentication
The FortiGate unit can be configured to use one of three types of binding:
l
anonymous - bind using anonymous user search
l
Secure Connection
FortiAuthenticator agent
FortiAuthenticator Agent for Microsoft Windows is a credential provider plugin that allows a FortiToken OTP,
validated by FortiAuthenticator, to be inserted into the Windows authentication process.
To download the FortiAuthenticator Agent, go to Authentication > FortiAuthenticator Agent > Download, and
download the FortiAuthenticator Agent installer.
For more information about the FortiAuthenticator Agent, see the FortiAuthenticator Agent for Microsoft
Windows Administration Guide, available from http://docs.fortinet.com/fortiauthenticator/.
Administration Guide
Fortinet Technologies Inc.
84
EAP
The FortiAuthenticator unit supports several IEEE 802.1X EAP methods. These include authentication methods
most commonly used in WiFi networks.
EAP is defined in RFC 3748 and updated in RFC 5247. EAP does not include security for the conversation
between the client and the authentication server, so it is usually used within a secure tunnel technology such as
TLS, TTLS, or MS-CHAP.
The FortiAuthenticator unit supports several EAP methods:
Method
Server Auth
Client Auth
Encryption
Native OS Support
PEAP (MSCHAPv2)
Yes
Yes
Yes
EAP-TTLS
Yes
No
Yes
Windows Vista, 7
EAP-TLS
Yes
Yes
Yes
In addition to providing a channel for user authentication, EAP methods, except EAP-MD5, also provide
certificate-based authentication of the server computer. EAP-TLS provides mutual authentication: the client and
server authenticate each other using certificates. This is essential for authentication onto an enterprise network in
a BYOD environment.
For successful EAP-TLS authentication, the users certificate must be bound to their account in Authentication >
User Management > Local Users (see Local users on page 52) and the relevant RADIUS client in Authentication
> RADIUS Service > Clients (see RADIUS service on page 76) must permit that user to authenticate. By
default, all local users can authenticate, but it is possible to limit authentication to specified user groups.
85
Administration Guide
Fortinet Technologies Inc.
EAP
Certificate Management: create and revoke certificates as a CA. See Certificate Management on page 114.
Simple Certificate Enrollment Protocol (SCEP) Server: exchange a Certificate Signing Request (CSR) and the
resulting signed certificate, simplifying the process of obtaining a device certificate.
Administration Guide
Fortinet Technologies Inc.
86
Device self-enrollment
Key: The preshared secret configured in the FortiAuthenticator authentication client settings
Authentication Port: By default, FortiAuthenticator listens for authentication requests on port 1812.
Device self-enrollment
Device certificate self-enrollment is a method for local and remote users to obtain certificates for their devices. It
is primarily used in enabling EAP-TLS for BYOD. For example:
l
They log in to the FortiAuthenticator unit and create a certificate for the device.
With their certificate, username, and password they authenticate to the wireless network.
To enable device self-enrollment and adjust self-enrollment settings, go to Authentication > Self-service Portal
> DeviceSelf-enrollment and select Enable user device certificate self-enrollment.
SCEP must be enabled to activate this feature, see SCEP on page 127.
87
Select a SCEP enrollment template from the drop-down list. SCEP can be
configured in Certificate Management > SCEP. See SCEP on page 127
for more information.
Max. devices
Key size
Select the key size for self-enrolled certificates (1024, 2048, or 4096 bits).
iOS devices only support two key size: 1024 and 2048.
Administration Guide
Fortinet Technologies Inc.
Non-compliant devices
Non-compliant devices
802.1X methods require interactive entry of user credentials to prove a users identity before allowing them
access to the network. This is not possible for non-interactive devices, such as printers. MAC Authentication
Bypass is supported to allow non-802.1X compliant devices to be identified and accepted onto the network using
their MAC address as authentication.
This feature is only for 802.1X MAC Authentication Bypass. FortiGate Captive Portal MAC Authentication is
supported by configuring the MAC address as a standard user, with the MAC address as both the username and
password, and not by entering it in the MAC Devices section.
Multiple MAC devices can be imported in bulk from a CSV file. The first column of the CSV file contains the
device names (maximum of 50 characters), and the second column contains the corresponding MAC addresses
(0123456789AB or 01:23:45:67:89:AB).
Administration Guide
Fortinet Technologies Inc.
88
Users can authenticate through a web portal and a set of embeddable widgets.
Users with FortiClient Endpoint Security installed can be automatically authenticated through the FortiClient SSO
Mobility Agent.
Users can be identified through the FortiAuthenticator API. This is useful for integration with third party systems.
This section describes FSSO only. For FSSO authentication methods, there is no
need to configure anything in the accounting proxy section.
The FortiAuthenticator unit must be configured to collect the relevant user logon data. After this basic
configuration is complete, the various methods of collecting the login information can be set up as needed.
General settings
The FortiAuthenticator unit listens for requests from authentication clients and can poll Windows Active Directory
servers.
89
Listening port
Leave at 8000 unless your network requires you to change this. Ensure this
port is allowed through the firewall.
Enable authentication
Administration Guide
Fortinet Technologies Inc.
General settings
Login Expiry
The length of time, in minutes, that users can remain logged in before the
system logs them off automatically. The default is 480 minutes (8 hours).
The length of time, in seconds, that a user session is extended after the
user logs off, from 0 (default) to 3600 seconds.
Enable NTLM
authentication
Log Level
Select one of Debug, Info, Warning, or Error as the minimum severity level
of events to log from the drop-down list.
Select Download all logs to download all FSSO logs to your management
computer.
Enable polling
additional logon
events
Select to enable polling additional logon events, for example, from devices
using Kerberos authentication, or from Mac OS X systems.
Enter the additional logon event timeout time in the Additional logon event
timeout field, from 1 to 480 minutes, with 5 minutes being the default time.
Note: After a user logs off, their SSO session will stay active for the above
configured period of time. During this time, if another user changes to the
previous users IP address, they may be able to bypass the necessary
authentication. For this reason, it is strongly recommended that the
timeout time be kept short.
Enable DNS
lookup to get IP
from workstation
name
Directly use
domain DNS
suffix in lookup
Select to use the domain DNS suffix when doing a DNS lookup.
This option is disabled by default.
Enable reverse
DNS lookup to
get workstation
name from IP
Select to enable reverse DNS lookup. Reverse DNS lookup is used when an
event contains only an IP address and no workstation name.
This option is enabled by default.
Administration Guide
Fortinet Technologies Inc.
90
91
General settings
FortiClient
listening port
Enable
authentication
Keep-alive
interval
Idle timeout
Enter an amount of time after which to logoff a user if their status is not
updated. The value cannot be lower than the Keep-alive interval value.
Enable NTLM
Select to enable the NT LAN Manager (NTLM) to allow logon of users who
are connected to a domain that does not have the FSSO DC Agent
installed. Disable NTLM authentication only if your network does not
support NTLM authentication for security or other reasons.
Enter an amount of time after which NTLM authentication expires in the
NTLM authentication expiry field, from 1 to 10080 minutes (7 days).
Select to enable hierarchical FSSO tiering. Enter the collector listening port
in the Collector listening port field.
Select to enable clients using DC or TS Agent. Enter the UDP port in the
DC/TS Agent listening port field. Default is 8002.
Select Enable authentication to enable authentication, then enter a secret
key, or password, in the Secret key field.
Restrict auto-discovered
domain controllers to
configured domain
controllers
Administration Guide
Fortinet Technologies Inc.
General settings
Select to restrict user groups to only those groups in the SSO group list.
Enter the amount of time after which items will expire. This is only available
when the group cache mode is set to passive.
Group cache
update period for
active logons
Enter the amount of time after which items are updated. This is only
available when the group cache mode is set to active.
Enter the base distinguished names to search for nesting of users or groups
into cross domain and domain local groups.
Administration Guide
Fortinet Technologies Inc.
92
Portal services
Portal services
The SSO portal supports a logon widget that you can embed in any web page. Typically, an organization would
embed the widget on its home page.
The SSO portal sets a cookie on the users browser. When the user browses to a page containing the login
widget, the FortiAuthenticator unit recognizes the user and updates its database if the users IP address has
changed. The user will not need to re-authenticate until the login timeout expires, which can be up to 30 days. To
log out of FSSO immediately, the user can select the Logout button in the widget.
The SSO portal supports multiple authentication methods including manual authentication, embeddable widgets,
and Kerberos authentication.
To configure portal services, go to Fortinet SSO Methods > SSO > Portal Services.
The following settings can be configured:
User Portal
Username input
format
Realms
Select Enable SSO login portal to enable the SSO login portal.
Select one of the following three username input formats:
l
username@realm
realm\username
realm/username.
Add realms to which the client will be associated. See Realms on page 78.
l
Select a realm from the drop-down list in the Realm column.
l
l
l
Login timeout
93
Select the realm that will be the default realm for this client.
Set the maximum number of days a user is allowed to stay logged in before
being logged out automatically from SSO, from 1 to 30 days. Default of 7
days.
Administration Guide
Fortinet Technologies Inc.
Portal services
Delay when
redirecting to an
external URL
Set the delay that occurs when redirecting to an external URL, from 1 to 10
seconds, with a default of 7 seconds.
Embeddable
login widget
Use this code to embed the login widget onto your site. The code cannot be
edited manually in this field.
Login widget
demo
A demo of what the login widget will look like on your site.
Select Enable Kerberos login for SSO to enable kerberos log in for SSO.
See Kerberos on page 94 for more information.
Import Keytab
Select to open the Import Keytab window where you can import a keytab
from your computer.
A keytab must be imported for Kerberos log in for SSO to be enabled.
Kerberos
Principal
Select Enable SSO Web Service to use the web service to log users in and
out.
Specify the type of user that the client will provide: external, local, or
remote (LDAP server must be selected from the drop-down list).
Kerberos
Kerberos authentication allows the FortiAuthenticator to identify connecting users through a Kerberos exchange
after a redirect from a FortiGate device.
A keytab file that describes your Kerberos infrastructure is required. To generate this file, you can use a ktpass
utility. The following code can be used in a batch file to simplify the keytab file creation:
set OUTFILE=fac.keytab
set USERNAME=fac@corp.example.com
set PRINC=HTTP/fac.corp.example.com@CORP.EXAMPLE.COM
set CRYPTO=all
set PASSWD=Pa$$p0rt
set PTYPE=KRB5_NT_PRINCIPAL
ktpass -out %OUTFILE% -pass %PASSWD% -mapuser %USERNAME% -princ %PRINC% -crypto %CRYPTO% ptype %PTYPE%
The FortiGate device can be configured to redirect unauthenticated users to the FortiAuthenticator, however the
Kerberos authentication URL is different than the standard login URL. The Custom Message HTML for the Login
Page HTML Redirect for Kerberos is as follows:
<html>
<body>
<script type=text/javascript>
var URI_string = document.documentURI;
Administration Guide
Fortinet Technologies Inc.
94
Fine-grained controls
document.location.href=http://<FAC_IP>/login/kerb-auth?user_continue_url= +
encodeURIComponent(URI_string);
</script>
<h2>
Redirecting...
</h2>
</body>
</end>
Fine-grained controls
The Fine-grained Controls menu provide options to include or exclude a user or group from SSO, and set the
maximum number of concurrent sessions that a user or group can have.
To adjust the controls, go to Fortinet SSO Methods > SSO > Fine-grained Controls.
The following options are available:
Edit
Clear Configuration
Select a user or users, then select Exclude from SSO to exclude them
from SSO.
Include in SSO
Select a user or users, then select Include in SSO to include the selected
users in SSO.
SSO Type
Select the SSO type to view from the drop-down list. The options are: Local
Users, Local Groups, SSO Users, and SSO Groups.
SSO Name
The users or groups names. Select the column title to sort the list by this
column.
Maximum Concurrent
Sessions
The maximum concurrent sessions allowed for the user or group. This
number cannot be greater than five.
If the user or group is excluded from SSO, a red circle with a line will be
displayed.
95
Administration Guide
Fortinet Technologies Inc.
Import
Delete
Edit
Name
FortiAuthenticator SSO user groups cannot be used directly in a security policy on a FortiGate device. An FSSO
user group must be created on the FortiGate unit, then the FortiAuthenticator SSO groups must be added to it.
FortiGate FSSO user groups are available for selection in identity-based security policies. See the FortiOS
Handbook for more information.
Administration Guide
Fortinet Technologies Inc.
96
Domain controllers
3. Optionally, enter a Filter string to reduce the number of entries returned, and then select Apply, or select Clear to
clear the filters.
For example, uid=j* returns only user IDs beginning with j.
4. The default configuration imports the attributes commonly associated with Microsoft Active Directory LDAP
implementations. Select Configure user attributes to edit the remote LDAP user mapping attributes.
Selecting the field, FirstName for example, presents a list of attributes which have been detected and can be
selected. This list is not exhaustive and additional, non-displayed attributes may be available for import.
Consult your LDAP administrator for a list of available attributes.
5. Select the entries you want to import.
6. Optionally, select an organization from the Organization drop-down to associated the imported users with a
specific organization. See Organizations on page 63.
7. Select OK to import the users or groups.
Domain controllers
If Active Directory will be used to ascertain group information, the FortiAuthenticator unit must be configured to
communicate with the domain controller.
A domain controller entry can be disabled without deleting its configuration. This can be useful when performing
testing and troubleshooting, or when moving controllers within your network.
In order to properly discover the available domains and domain controllers, the DNS
settings must specify a DNS server that can provide the IP addresses of the domain
controllers. See DNS on page 27.
97
Administration Guide
Fortinet Technologies Inc.
RADIUS accounting
Display Name
Network Address
Account
Enter the account name used to access logon events. This account should
have administrator rights.
Password
Priority
You can define two (or more) Domain Controllers for the same domain.
Each can be designated Primary or Secondary. The Primary unit is
accessed first.
Disable
Secure Connection
Enable
Protocol
CA certificate
4. Select OK.
By default, FortiAuthenticator uses auto-discovery of Domain Controllers. If you want to restrict operation to the
configured domain controllers only, go to Fortinet SSO Methods > SSO > General and select Restrict autodiscovered domain controllers to configured domain controllers. See General settings on page 89.
RADIUS accounting
If required, SSO can be based on RADIUS accounting records. The FortiAuthenticator receives RADIUS
accounting packets from a carrier RADIUS server or network device, such as a wireless controller, collects
additional group information, and then inserts it into FSSO to be used by multiple FortiGate or FortiCache
devices for identity based policies.
The FortiAuthenticator must be configured as a RADIUS accounting client to the RADIUS server.
To view the RADIUS accounting SSO client list, go to Fortinet SSO Methods > SSO > RADIUS Accounting.
Administration Guide
Fortinet Technologies Inc.
98
Syslog
Enter a name in the Name field to identify the RADIUS accounting client on
the FortiAuthenticator.
Client name/IP
Secret
Description
Specify the type of user that the client will provide: external, local, or
remote (LDAP server must be selected from the drop-down list).
Radius Attributes
If required, customize the username, client IP, and user group RADIUS
attributes to match the ones used in the incoming RADIUS accounting
records. See RADIUS attributes on page 65.
Syslog
The FortiAuthenticator can parse username and IPaddress information from a syslog feed from a third party
device, and inject this information into FSSO so it can be used in FortiGate and FortiCache identity based
policies.
Syslog objects include sources and matching rules. Sources identify the entities sending the syslog messages,
and matching rules extract the events from the syslog messages. Messages coming from non-configured sources
will be dropped.
To configure syslog objects, go to go to Fortinet SSO Methods > SSO > Syslog.
99
Administration Guide
Fortinet Technologies Inc.
Syslog
Syslog SSO must be enabled for this menu option to be available. Go to Fortinet SSO
Methods > SSO > General to enable Syslog SSO. See General settings on page 89.
The following options and information are available:
Create New
Delete
Edit
Name
Client name/IP
Matching rules
A matching rule is a query, or policy, that is applied to a syslog message in order to determine required
information, such as the username and IPaddress. Rules are required for every syslog source.
Predefined rules are available for Cisco and Aruba wireless controllers (see Predefined rules on page 101). For
other systems, custom policies can be created to parse message files in various formats.
Description
Fields to Extract
Trigger
Optionally, enter a string that must be present in all syslog messages. This
will act as a pre-filter.
Auth Type
Indicators
Username field
Client IP field
Administration Guide
Fortinet Technologies Inc.
100
Syslog
Group field
Optionally, define the semantics of the group. The group may not always
be included in the syslog message, and may need to be retrieved from a
remote LDAP server.
Test Rule
Paste a sample log message into the text box, then select Test to test that
the desired fields are correctly extracted.
Syslog sources
Each syslog source must be defined for traffic to be accepted by the syslog daemon. Each source must also be
configured with a matching rule that can be either pre-defined or custom built.
IP Address
Matching Rule
Select the requisite matching rule from the drop-down list. A matching
must already be created for the source.
Predefined rules
Predefined matching rules are included for Cisco and Aruba wireless controllers.
Cisco ISE
Accounting Start Log
Trigger
101
CISE_RADIUS_Accounting
Administration Guide
Fortinet Technologies Inc.
Acct-Status-Type=Start (Login)
Username field
User-Name={{user}},
Client IP field
Framed-IP-Address={{ip}},
CISE_RADIUS_Accounting
Acct-Status-Type=Stop (Logout)
Username field
User-Name={{user}},
Client IP field
Framed-IP-Address={{ip}},
Aruba
Trigger
Username field
username={{user}},
Client IP field
Framed-IP-Address={{ip}},
Group field
profile={{group}},
FortiGate name/IP
Administration Guide
Fortinet Technologies Inc.
102
IP filtering rules
Description
Select to forward SSO information for users from only the specific subset of
groups.
Choose the desired SSO groups from the Available sso groups box and
move them to the Selected sso groups box. See SSO users and groups on
page 96 for information on SSO groups.
IP filtering rules
The user logon information that is sent to the FortiGate units can be restricted to specific IP addresses or address
ranges. If no filters are defined, information is sent for all addresses.
To view the list of the IP filtering rules, go to Fortinet SSO Methods > SSO > IP Filtering Rules.
Filter Type
Rule
IP Range: 10.0.0.1/10.0.0.99
Tiered architecture
Tier nodes can be managed by going to Fortinet SSO Methods > SSO > Tiered Architecture.
The following options are available:
Create New
103
Administration Guide
Fortinet Technologies Inc.
Tiered architecture
Delete
Edit
Search
Enter a search term in the search text box then select Search to search the
tier node list.
Name
Tier Role
Address
Port
Serial Number
Enabled
If the node is enabled, a green circle with a check mark will be shown.
A node can be disabled without losing any of its settings.
Serial number
Tier Role
Node IP address
Collector port
Enter the collector port number. Default is 8002. This only applies is
Collector is selected as the Tier Role.
Disable
Administration Guide
Fortinet Technologies Inc.
104
105
Administration Guide
Fortinet Technologies Inc.
The RADIUS server is business-critical IT infrastructure, limiting the changes that can be made to the server
configuration.
In some cases, the server can send accounting records only to a single endpoint. Some network topologies may
require multiple endpoints.
The FortiAuthenticator RADIUS Accounting Proxy overcomes these limitations by proxying the RADIUS
accounting records, modifying them, and replicating them to the multiple subscribing endpoints as needed.
Rule sets to define or derive the RADIUS attributes that the FortiGate unit requires,
The destination(s) of the accounting records: the FortiGate units using this information for RADIUS SSO
authentication.
General settings
General RADIUS accounting proxy settings can be configure by going to FortinetSSOMethods> Accounting
Proxy > General.
The following settings are available:
Log level
Select one of Debug, Info, Warning, or Error as the minimum severity level
of event to log from the drop-down list.
Enter the amount of time after which user group memberships will expire in
the cache, from 1 to 10080 minutes (7 days). The default is 480 minutes.
Enter the number of times to retry proxy requests if they timeout, from 0 to
3 retries, where 0 disables retries. The default is 3 retries.
Enter the time between statistics updates to the seconds debug log, from 1
to 3600 seconds (1 hour).
Administration Guide
Fortinet Technologies Inc.
106
Rule sets
A rule set can contain multiple rules. Each rule can do one of:
l
The FortiAuthenticator unit can store up to 10 rule sets. You can provide both a name and a description to each
rule set to help you remember each rule sets purpose.
Rules access RADIUS attributes of which there are both standard attributes and vendor-specific attributes
(VSAs). To select a standard attribute, select the Default vendor. See RADIUS attributes on page 65.
To view the accounting proxy rule set list, go to Fortinet SSO Methods > Accounting Proxy > Rule Sets.
107
Name
Enter a name to use when selecting this rule set for an accounting proxy
destination.
Description
Rules
Administration Guide
Fortinet Technologies Inc.
Action
Attribute
Select Browse and choose the appropriate Vendor and Attribute ID in the
Select a RADIUS Attribute dialog box.
Attribute 2
If the action is set to Modify, a second attribute may be selected. The first
attribute will be renamed to the second attribute.
Value Type
If the action is set to Add, select a value type from the drop-down list.
l
Static value: adds the attribute in the Attribute field containing the
static value in the Value field.
l
Value
If the action is set to Add and Value Type is set to Static value, enter the
static value.
Username
Attribute
If the action is set to Add, and Value Type is not set to Static value,
specify an attribute that provides the users name, or select Browse and
choose the appropriate Vendor and Attribute ID in the Select a RADIUS
Attribute dialog box.
Remote LDAP
If the attribute addition requires an LDAP server, select one from the dropdown list. See LDAP on page 73 for information on remote LDAP servers.
Description
User-Name
NAS-IP-Address
Fortinet-Client-IP-Address
Administration Guide
Fortinet Technologies Inc.
108
User-Name
NAS-IP-Address
Fortinet-Client-IP-Address
Service-Type: Value is obtained from user's group membership and SSO Group Mapping
The rule set needs three rules to add Session-Timeout, Fortinet-Group-Name, and Service-Type. The below
image provides an example.
Sources
The RADIUS accounting proxy sources list can be viewed in Fortinet SSO Methods > Accounting Proxy >
Sources. Sources can be added, edited, and deleted as needed.
109
Administration Guide
Fortinet Technologies Inc.
Source name/IP
Secret
Description
Destinations
The destination of the RADIUS accounting records is the FortiGate unit that will use the records to identify users.
When defining the destination, you also specify the source of the records (a RADIUS client already defined as a
source) and the rule set to apply to the records.
To view the RADIUS accounting proxy destinations list, go to Fortinet SSO Methods > Accounting Proxy >
Destinations.
Destination name/IP
Enter The FQDN or IP address of the FortiGate that will receive the
RADIUS accounting records.
Secret
Source
Select a RADIUS client defined as a source from the drop-down list. See
Sources on page 109.
Rule set
Select an appropriate rule set from the drop-down list or select Create New
to create a new rule set. See Rule sets on page 107.
Administration Guide
Fortinet Technologies Inc.
110
Monitoring
The Monitor menu tree provides options for monitoring SSO and authentication activity.
SSO
FortiAuthenticator can monitor the units that make up FSSO. This is useful to ensure there is a connection to the
different components when troubleshooting.
Domains
To monitor SSO domains, go to Monitor > SSO > Domains. Select Refresh to refresh the domain list. Select
Expand All to expand all of the listed domains, or Collapse All to collapse the view.
Hover the cursor over an entry to view additional information, such as the status and length of the last connection.
SSO sessions
To monitor SSO sessions, go to Monitor > SSO > SSO Sessions. Users can be manually logged off of if
required.
The following information is available:
111
Refresh
Logoff All
Logoff Selected
Search
Enter a search term in the search field, then select Search to search the
SSO sessions list.
Logon Time
Update Time
Workstation
IP address
Username
Administration Guide
Fortinet Technologies Inc.
Authentication
Monitoring
Source
Group
Domain controllers
Domain controllers that are registered with the FortiAuthenticator unit can be viewed by going to Monitor > SSO
> Domain Controllers.
The domain controllers list can be refreshed by selecting Refresh, and searched using the search field.
The list shows the connection status of the domain controller, as well as its update time and IP address. The total
number of events, as well as the most recent event, are also shown.
FortiGates
FortiGate units that are registered with the FortiAuthenticator unit can be viewed at Monitor>SSO > FortiGates.
The list can be refreshed by selecting Refresh, and searched using the search field. The list shows the
connection time of each device, as well as its IP address and serial number.
User authentication events are logged in the FortiGate event log. See the FortiGate Handbook for more
information.
Authentication
The Windows AD server and inactive users can be monitored from Monitor > Authentication. Learned RADIUS
users can also be configured.
Windows AD
To view the Windows AD server information, go to Monitor > Authentication > Windows AD.
To refresh or reset the connection, select Refresh or Reset Connection in the toolbar. The server name, IP
address, authentication realm, agent, and connection are shown.
Administration Guide
Fortinet Technologies Inc.
112
Monitoring
Authentication
Inactive users
To view a list of locked out, or inactive, users, go to Monitor > Authentication > Inactive Users.
To unlock a user from the list, select the user, then select Unlock. The list can be refreshed by selecting Refresh,
and searched using the search field.
The list shows the username, server, the reason the user was locked out, and when they are locked out until.
For more information on locked out users, see Top User Lockouts widget on page 26, Lockouts on page 49, and
User management on page 51.
113
Administration Guide
Fortinet Technologies Inc.
Certificate Management
This section describes managing certificates with the FortiAuthenticator device.
FortiAuthenticator can act as a CA for the creation and signing of X.509 certificates, such as server certificates for
HTTPS and SSH, and client certificates for HTTPS, SSL, and IPSEC VPN.
The FortiAuthenticator unit has several roles that involve certificates:
Certificate authority
SCEP server
A SCEP client can retrieve any of the local CA certificates (Local CAs on
page 121), and can have its own user certificate signed by the
FortiAuthenticator unit CA.
EAP Authentication
Any changes made to certificates generate log entries that can be viewed at Logging > Log Access > Logs. See
Logging on page 132.
This chapter includes the following sections:
l
Policies
End entities
Certificate authorities
SCEP
Policies
The policies section includes global configuration settings which are applied across all certificate authorities and
end-entity certificates created on the FortiAuthenticator device.
Certificate expiry
Certificate expiration settings can be configured in Certificate Management > Policies > Certificate Expiry.
Administration Guide
Fortinet Technologies Inc.
114
Certificate Management
End entities
Enter the number of days before the certificate expires that the email will
be sent.
Administrator's e-mail
Enter the email address to which the expiry warning message will be sent.
End entities
User and server certificates are required for mutual authentication on many HTTPS, SSL, and IPsec VPN network
resources. You can create a user certificate on the FortiAuthenticator device, or import and sign a CSR. User
certificates, client certificates, or local computer certificates are all the same type of certificate.
To view the user certificate list, go to Certificate Management > End Entities > Users. To view the server
certificate list, go to Certificate Management > End Entities > Local Services.
The following information is available:
115
Create New
Import
Revoke
Delete
Export Certificate
Export PKCS#12
Search
Enter a search term in the search field, then press Enter to search the
certificate list.
Filter
Certificate ID
Subject
Administration Guide
Fortinet Technologies Inc.
End entities
Certificate Management
Issuer
Status
Certificates can be created, imported, exported, revoked, and deleted as required. CSRs can be imported to sign,
and the certificate detail information can also be viewed, see To view certificate details: on page 120.
Administration Guide
Fortinet Technologies Inc.
116
Certificate Management
End entities
Issuer
Local User
(Optional)
If Local CA is selected as the issuer, you may select a local user from the
drop-down list to whom the certificate will apply.This option is only
available when creating a new user certificate.
Certificate
authority
Subject Information
Subject input
method
Select the subject input method, either Fully distinguished name or Fieldby-field.
Subject DN
If the subject input method is Fully distinguished name, enter the full
distinguished name of the subject. There should be no spaces between
attributes.Valid DN attributes are DC, C, ST, L, O, OU, CN, and
emailAddress. They are case-sensitive.
Field-by-field
If the subject input method is Field-by-field, enter the subject name in the
Name (CN) field, and optionally enter the following fields:
Department (OU)
Company (O)
City (L)
State/Province (ST)
E-mail address
Subject Alternative Names (SAN) allow you to protect multiple host names
with a single SSL certificate. SAN is part of the X.509 certificate standard.
For example, SANs are used to protect multiple domain names such as
www.example.com and www.example.net, in contrast to wildcard
certificates that can only protect all first-level subdomains on one domain,
such as *.example.com.
This section is not available when Issuer is set to Local CA.
User Principal
Name (UPN)
Enter the UPN used to find the users account in Microsoft Active Directory.
This will map the certificate to this specific user. The UPN is unique for the
Windows Server domain. This is a form of one-to-one mapping.
Additional Options
117
Administration Guide
Fortinet Technologies Inc.
End entities
Certificate Management
Validity period
Select the amount of time before this certificate expires. This option is only
available when Issuer is set to Local CA.
Select Set length of time to enter a specific number of days, or select Set
an expiry date and enter the specific date on which the certificate expires.
Key type
Key size
Select the key size from the drop-down list: 1024, 2048, or 4096 bits.
Hash algorithm
Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Other Extensions
Add CRL
Distribution
Points extension
This option is only available when creating a new user certificate, and when
Issuer is set to Local CA.
Select to add CRL distribution points extension to the certificate.
Note: Once a certificate is issued with this extension, the server must be
able to handle the CRL request at the specified location.
A DNS domain name must be configured. If it has not been, select Edit
DNS name to configure one. See DNS on page 27.
Administration Guide
Fortinet Technologies Inc.
118
Certificate Management
End entities
Validity period
Hash algorithm
Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
User Principal
Name (UPN)
Enter the UPN used to find the users account in Microsoft Active Directory.
This will map the certificate to this specific user. The UPN is unique for the
Windows Server domain. This is a form of one-to-one mapping.
Other Extensions
119
Administration Guide
Fortinet Technologies Inc.
Certificate authorities
Certificate Management
Add CRL
Distribution
Points extension
Select to use the certificate for smart card logon. This option can only be
selected concurrently with Add CRL Distribution Points extension.
To revoke a certificate:
1. Go to Certificate Management > End Entities > Users or to Certificate Management > End Entities > Local
Services.
2. Select the certificate the will be revoked, then select Revoke. The Revoke User Certificate or Revoke Server
Certificate window opens.
3. Select a reason for revoking the certificate from the Reason code drop-down list. The reasons available are:
l
Unspecified
Changes in affiliation
Superseded
Operation ceased
On Hold
Some of these reasons are security related (such as the key or CA being compromised), while others are
more business related; a change in affiliation could be an employee leaving the company; Operation ceased
could be a project that was cancelled.
Certificate authorities
A CA is used to sign other server and client certificates. Different CAs can be used for different domains or
certificates. For example, if your organization is international you may have a CA for each country, or smaller
organizations might have a different CA for each department. The benefits of multiple CAs include redundancy,
in case there are problems with one of the well-known trusted authorities.
Once you have created a CA certificate, you can export it to your local computer.
Administration Guide
Fortinet Technologies Inc.
120
Certificate Management
Certificate authorities
Local CAs
The FortiAuthenticator device can act as a self-signed or local CA.
To view the certificate information, go to CertificateManagement > CertificateAuthorities > LocalCAs.
The following information in shown:
121
Create New
Import
Revoke
Delete
Export
Search
Enter a search term in the search field, then press Enter to search the CA
certificate list. The search will return certificates that match either the
subject or issuer.
Filter
Select to filter the displayed CAs by status. The available selections are:
All, Pending, Expired, Revoked, and Active.
Certificate ID
Subject
Issuer
Status
CA Type
Administration Guide
Fortinet Technologies Inc.
Certificate authorities
Certificate Management
To create a CA certificate:
1. From the local CA certificate list, select Create New. The Create New Local CA Certificate window opens.
Certificate
authority
Subject Information
Subject input
method
Administration Guide
Fortinet Technologies Inc.
Select the subject input method, either Fully distinguished name or Fieldby-field.
122
Certificate Management
Certificate authorities
Subject DN
If the subject input method is Fully distinguished name, enter the full
distinguished name of the subject. There should be no spaces between
attributes.
Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They
are case-sensitive.
Field-by-field
If the subject input method is Field-by-field, enter the subject name in the
Name (CN) field, and optionally enter the following fields:
Email
User Principal
Name (UPN)
Department (OU)
Company (O)
City (L)
State/Province (ST)
E-mail address
SANs allow you to protect multiple host names with a single SSL
certificate. SAN is part of the X.509 certificate standard.
This section is not available when the certificate type is Intermediate CA
certificate signing request (CSR).
Enter the email address of a user to map to this certificate.
Enter the UPN used to find the users account in Microsoft Active
Directory. This will map the certificate to this specific user. The
UPN is unique for the Windows Server domain. This is a form of
one-to-one mapping.
Additional Options
Validity period
Key type
Key size
Select the key size from the drop-down list: 1024, 2048, or 4096 bits.
Hash algorithm
Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
123
Administration Guide
Fortinet Technologies Inc.
Certificate authorities
Certificate Management
Passphrase
Select the serial number radix, either decimal or hex, in the Serial number
radix field, then enter the initial serial number in the Initial serial number
field.
Passphrase
Select the serial number radix, either decimal or hex, in the Serial number
radix field, then enter the initial serial number in the Initial serial number
field.
Administration Guide
Fortinet Technologies Inc.
124
Certificate Management
Certificate authorities
Validity period
Hash algorithm
Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
User Principal
Name (UPN)
Enter the UPN used to find the users account in Microsoft Active Directory.
This will map the certificate to this specific user. The UPN is unique for the
Windows Server domain. This is a form of one-to-one mapping.
CRLs
A CRL is a file that contains a list of revoked certificates, their serial numbers, and their revocation dates. The file
also contains the name of the issuer of the CRL, the effective date, and the next update date. By default, the
shortest validity period of a CRL is one hour.
Some potential reasons for certificates to be revoked include:
125
Administration Guide
Fortinet Technologies Inc.
Certificate authorities
Certificate Management
A certificates has expired and is not supposed to be used past its lifetime.
Go to Certificate Management > Certificate Authorities > CRLs to view the CRL list.
The following information is shown:
Import
Import a CRL.
Export
CA Type
Issuer name
Subject
Revoked Certifications
To import a CRL:
1. Download the most recent CRL from a CDP. One or more CDPs are usually listed in a certificate under the Details
tab.
2. From the CRL list, select Import.
3. Select Browse... to locate the file on your computer, then select OK to import the list.
When successful, the CRL will be displayed in the CRL list on the FortiAuthenticator device. You can select it
to see the details (see To view certificate details: on page 120).
Administration Guide
Fortinet Technologies Inc.
126
Certificate Management
SCEP
Trusted CAs
Trusted CA certificates can be used to validate certificates signed by an external CA.
To view the trusted CA certificate list, go to Certificate Management > Certificate Authorities > Trusted CAs.
The certificate ID, subject, issuer, and status are shown. Certificates can be imported, exported, deleted, and
searched.
SCEP
The FortiAuthenticator device contains a SCEP server that can sign user CSRs, and distribute CRLs and CA
certificates. To use SCEP, you must:
l
Enable HTTP administrative access on the interface connected to the Internet. See Interfaces on page 26.
Add the CA certificate for your certificate authority. See Certificate authorities on page 120.
Users can request a user certificate through online SCEP, found at https://<FortiAuthenticator IP
Address>/cert/scep.
General
As administrator, you can allow the FortiAuthenticator unit to either automatically sign the users certificate or
alert you about the request for signature.
To enable SCEP and configure general settings, go to Certificate Management > SCEP > General.
The following settings can be configured:
127
Administration Guide
Fortinet Technologies Inc.
SCEP
Certificate Management
Enable SCEP
Default CA
Enrollment method
Default enrollment
password
Manual and Automatic: The user submits the CSR, the request
shows up as pending on FortiAuthenticator unit, then the
administrator manually approves the pending request. Optionally,
enter an email address to send pending approval notifications to.
Enter the default enrollment password that will be used when not setting a
random password.
Enrollment requests
To view and manage certificate enrollment requests, go to Certificate Management > SCEP > Enrollment
Requests.
The following information is available:
Create New
Delete
Approve/Reject
Method
Status
Wildcard
Issuer
Subject
The number of days before the certificate enrollment request expires that it
can be renewed.
Updated at
The date and time that the enrollment request was last updated.
Administration Guide
Fortinet Technologies Inc.
128
Certificate Management
SCEP
2. If the client has lost their certificate and key, select Did the client lose his/her certificate and key?
3. Select Close to return to the enrollment request window.
Manually remove the old enrollment request, revoke its certificate, then create a new enrollment request with
exactly the same configuration and subject name as the old certificate.
Re-use the same enrollment request by resetting its status and then revoking the lost certificate.
3. To re-use the same enrollment request, select Yes, Im sure. This is the recommended method of resolving the
issue.
129
Administration Guide
Fortinet Technologies Inc.
SCEP
Certificate Management
Certificate Authority
Subject Information
Subject input
method
Select the subject input method, either Fully distinguished name or Fieldby-field.
Subject DN
If the subject input method is Fully distinguished name, enter the full
distinguished name of the subject. There should be no spaces between
attributes.
Valid DN attributes are DC, C, ST, L, O, OU, CN, and emailAddress. They
are case-sensitive.
Administration Guide
Fortinet Technologies Inc.
130
Certificate Management
Field-by-field
SCEP
If the subject input method is Field-by-field, enter the subject name in the
Name (CN) field (if the Automatic request type is set to Regular), and
optionally enter the following fields:
l
Department (OU)
Company (O)
City (L)
State/Province (ST)
E-mail address
User Principal
Name (UPN)
Enter the UPN used to find the users account in Microsoft Active Directory.
This will map the certificate to this specific user. The UPN is unique for the
Windows Server domain. This is a form of one-to-one mapping.
Additional Options
Validity period
Hash algorithm
Select the hash algorithm from the drop-down list, either SHA-1 or SHA256.
Challenge Password
Password
creation
Challenge
password
distribution
Renewal
To allow renewals, select Allow renewal, then enter the number of days
before the certificate expires.
131
Administration Guide
Fortinet Technologies Inc.
Logging
Accounting is an important part of FortiAuthenticator. The Logging menu tree provides a record of the events that
have taken place on the FortiAuthenticator unit.
Log access
To view the log events table, go to Logging > LogAccess > Logs.
The following options and information are available:
Refresh
Select to view the log type reference dialog box. See Log type reference on
page 133.
Debug Report
Search
Enter a search term in the search field, then select Search to search the log
message list.
The search string must appear in the Message portion of the log entry to
result in a match. To prevent each term in a phrase from being matched
separately, multiple keywords must be in quotes and be an exact match.
After the search is complete the number of positive matches will be
displayed next to the Search button, with the total number of log entries in
brackets following. Select the total number of log entries to return to the full
list. Subsequent searches will search all the log entries, and not just the
previous searchs results.
ID
Timestamp
Administration Guide
Fortinet Technologies Inc.
132
Logging
Level
Log access
Category
The log category, which is always Event. See Log type reference on page
133.
Sub category
Type id
Action
Status
The status if the action that created the log message, if applicable.
NAS name/IP
Short message
User
133
Search
Enter a search term in the search field, then select Search to search the log
type reference.
Type id
>Name
Administration Guide
Fortinet Technologies Inc.
Log configuration
Logging
Sub category
Category
Description
To close the Log Type Reference dialog box, select close above the top right corner of the box, or simply click
anywhere outside of the box within the log list.
Log configuration
Logs can be remotely backed up to an FTP server, automatically deleted, and sent to a remote syslog server in
lieu of storing them locally.
Log settings
To configure log backups, automatic deletion, and remote storage, go to Logging > LogConfig> Log Setting.
Select the clock icon and choose a time from the pop-up menu: Now, Midnight, 6 a.m., or Noon.
Administration Guide
Fortinet Technologies Inc.
134
Logging
Log configuration
4. Select an FTP server from the drop-down list in the FTP server field. For information on configuring an FTP
server, see FTP servers on page 38.
5. Select OK to save your settings.
Syslog servers
Syslog servers can be used to store remote logs. To view the syslog server list, go to Logging > Log Config >
Syslog Servers.
Create New
Delete
Edit
Name
Server name/IP
135
Administration Guide
Fortinet Technologies Inc.
Log configuration
Logging
Server name/IP
Port
Enter the syslog server port number. The default port is 514.
Level
Select a log level to store on the remote server from the drop down list. See
Level on page 133.
Facility
Administration Guide
Fortinet Technologies Inc.
136
Troubleshooting
This chapter provides suggestions to resolve common problems encountered while configuring and using your
FortiAuthenticator device, as well as information on viewing debug logs.
For more support, contact Fortinet Customer Service & Support (support.fortinet.com).
Before starting, please ensure that your FortiAuthenticator device is plugged in to an appropriate, and functional,
power source.
Troubleshooting
The following table describes some of the basic issues that can occur while using your FortiAuthenticator device,
and suggestions on how to solve said issues.
Problem
All user log in attempts fail,
there is no response from the
FortiAuthenticator device, and
there are no entries in the
system log.
Suggestions
l
137
Reset the users password and try again. See Editing a user on
page 54.
Have the user privately show their password to the administrator to
check for unexpected characters (possibly due to keyboard
regionalization issues).
Administration Guide
Fortinet Technologies Inc.
Debug logs
Problem
Generally, user log in attempts
are successful, however, an
individual user authentication
attempt fails with invalidtoken
in shown in the logs.
Troubleshooting
Suggestions
l
Verify that the user is not trying to use a previously used PIN.
Tokens are One Time Passwords, so you cannot log in twice
with the same PIN.
Verify that the time and timezone on the FortiAuthenticator unit are
correct and, preferably, synchronised using NTP. See Configuring
the system time, time zone, and date on page 23.
Verify that the token is correctly synchronized with the
FortiAuthenticator unit, and verify the drift by synchronizing the
token. See FortiToken drift adjustment on page 68.
Verify the user is using the token assigned to them (validate the
serial number against the FortiAuthenticator unit configuration).
See User management on page 51.
If the user is using an e-mail or SMS token, verify it is being used
within the valid timeout period. See Lockouts on page 49.
Debug logs
Extended debug logs can be accessed by using your web browser to browse to
https://<FortiAuthenticator IP Address>/debug.
Administration Guide
Fortinet Technologies Inc.
138
Troubleshooting
Service
Debug logs
Select the service whose logs are shown from the drop-down list:
l
FSSO Agent
l
GUI
HA
LDAP
RADIUS Accounting
RADIUS Authentication
SNMP
Startup
Web Server
Search
Enter a search term in the search field, then select Search to search the debug
logs.
Page navigation
Use the First Page, Previous Page, Next Page, and Last Page icons to
navigated through the logs.
Show
Select the number of lines to show per page from the drop-down list. The options
are: 100 (default), 250, and 500.
RADIUS debugging
RADIUS authentication debugging mode can be accessed to debug RADIUS authentication issues.
In the debug logs screen, select RADIUS Authentication from the Service drop-down list, then select Enter
debug mode from the toolbar.
Enter the username and password then select OK to test the RADIUS authentication and view the authentication
response and returned attributes.
Select Exit debug mode to deactivate the debugging mode.
139
Administration Guide
Fortinet Technologies Inc.
Copyright 2015 Fortinet, Inc. All rights reserved. Fortinet, FortiGate, FortiCare and FortiGuard, and certain other marks are registered trademarks of Fortinet,
Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other product or company
names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and
actual performance and other results may vary. Network variables, different network environments and other conditions may affect performance results. Nothing herein
represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written
contract, signed by Fortinets General Counsel, with a purchaser that expressly warrants that the identified product will perform according to certain expressly-identified
performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For
absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in Fortinets internal lab tests. In no event does Fortinet make any
commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate.
Fortinet disclaims in full any covenants, representations, and guarantees pursuant hereto, whether express or implied. Fortinet reserves the right to change, modify,
transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.